Files in the media library can now contain two dots

2015-12-02 14:39:32 +01:00 · 2015-12-02 14:39:32 +01:00 · 8f1e2ff8a3
parent 8318c05b37
commit 8f1e2ff8a3
1 changed files with 29 additions and 8 deletions
--- a/modules/cms/classes/MediaLibrary.php
+++ b/modules/cms/classes/MediaLibrary.php
@ -125,9 +125,9 @@ class MediaLibrary
    /**
     * Finds files in the Library.
     * @param string $searchTerm Specifies the search term.
-     * @param string $sortBy Determines the sorting preference. 
+     * @param string $sortBy Determines the sorting preference.
     * Supported values are 'title', 'size', 'lastModified' (see SORT_BY_XXX class constants).
-     * @param string $filter Determines the document type filtering preference. 
+     * @param string $filter Determines the document type filtering preference.
     * Supported values are 'image', 'video', 'audio', 'document' (see FILE_TYPE_XXX constants of MediaLibraryItem class).
     * @return array Returns an array of MediaLibraryItem objects.
     */
@ -384,10 +384,31 @@ class MediaLibrary
        if ($normalizeOnly)
            return $path;

-        if (strpos($path, '..') !== false)
-            throw new ApplicationException(Lang::get('cms::lang.media.invalid_path', ['path'=>$path]));
+        $regexDirectorySeparator = preg_quote(DIRECTORY_SEPARATOR, '/');
+        $regexDot = preg_quote('.', '/');
+        $regex = [

-        if (strpos($path, './') !== false || strpos($path, '//') !== false)
+            /**
+             * Checks for parent or current directory reference at beginning of path
+             */
+            '(^'.$regexDot.'+?'.$regexDirectorySeparator.')',
+
+            /**
+             * Check for parent or current directory reference in middle of path
+             */
+             '('.$regexDirectorySeparator.$regexDot.'+?'.$regexDirectorySeparator.')',
+
+            /**
+            * Check for parent or current directory reference at end of path
+             */
+             '('.$regexDirectorySeparator.$regexDot.'+?$)',
+        ];
+
+        /**
+         * Now, let's combine everything to one regex
+         */
+        $regex = '/'.implode('|', $regex).'/';
+        if (preg_match($regex, $path) !== 0 || strpos($path, '//') !== false)
            throw new ApplicationException(Lang::get('cms::lang.media.invalid_path', ['path'=>$path]));

        return $path;
@ -537,7 +558,7 @@ class MediaLibrary
    /**
     * Sorts the item list by title, size or last modified date.
     * @param array $itemList Specifies the item list to sort.
-     * @param string $sortBy Determines the sorting preference. 
+     * @param string $sortBy Determines the sorting preference.
     * Supported values are 'title', 'size', 'lastModified' (see SORT_BY_XXX class constants).
     */
    protected function sortItemList(&$itemList, $sortBy)
@ -567,7 +588,7 @@ class MediaLibrary
    /**
     * Filters item list by file type.
     * @param array $itemList Specifies the item list to sort.
-     * @param string $filter Determines the document type filtering preference. 
+     * @param string $filter Determines the document type filtering preference.
     * Supported values are 'image', 'video', 'audio', 'document' (see FILE_TYPE_XXX constants of MediaLibraryItem class).
     */
    protected function filterItemList(&$itemList, $filter)
@ -586,7 +607,7 @@ class MediaLibrary

    /**
     * Initializes and returns the Media Library disk.
-     * This method should always be used instead of trying to access the 
+     * This method should always be used instead of trying to access the
     * $storageDisk property directly as initializing the disc requires
     * communicating with the remote storage.
     * @return mixed Returns the storage disk object.