FIX Allow double dots in path when not attempting directory traversal (…

…#11219)
silverstripe · May 6, 2024 · a92baea · a92baea
1 parent 44f77ec
commit a92baea
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/src/Core/Path.php b/src/Core/Path.php
@@ -34,7 +34,7 @@ public static function join(...$parts)
         $fullPath = static::normalise(implode(DIRECTORY_SEPARATOR, $parts));
 
         // Protect against directory traversal vulnerability (OTG-AUTHZ-001)
-        if (strpos($fullPath ?? '', '..') !== false) {
+        if ($fullPath === '..' || str_ends_with($fullPath, '/..') || str_contains($fullPath, '../')) {
             throw new InvalidArgumentException('Can not collapse relative folders');
         }
 

diff --git a/tests/php/Core/PathTest.php b/tests/php/Core/PathTest.php
@@ -48,6 +48,8 @@ public function providerTestJoinPaths()
             [['\\', '', '/root', '/', ' ', '/', '\\'], '/root'],
             // join blocks of paths
             [['/root/dir', 'another/path\\to/join'], '/root/dir/another/path/to/join'],
+            // Double dot is fine if it's not attempting directory traversal
+            [['/root/my..name/', 'another/path\\to/join'], '/root/my..name/another/path/to/join'],
         ];
 
         // Rewrite tests for other filesystems (output arg only)
@@ -79,6 +81,8 @@ public function providerTestJoinPathsErrors()
             [['/base', '../passwd'], 'Can not collapse relative folders'],
             [['/base/../', 'passwd/path'], 'Can not collapse relative folders'],
             [['../', 'passwd/path'], 'Can not collapse relative folders'],
+            [['..', 'passwd/path'], 'Can not collapse relative folders'],
+            [['base/..', 'passwd/path'], 'Can not collapse relative folders'],
         ];
     }