From 8f1e2ff8a318e90c0cb4b28eff4dc70801d39c85 Mon Sep 17 00:00:00 2001 From: "Joel E. Svensson" Date: Wed, 2 Dec 2015 14:39:32 +0100 Subject: [PATCH] Files in the media library can now contain two dots --- modules/cms/classes/MediaLibrary.php | 37 ++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/modules/cms/classes/MediaLibrary.php b/modules/cms/classes/MediaLibrary.php index 2bfadb3ef..42fa3e968 100644 --- a/modules/cms/classes/MediaLibrary.php +++ b/modules/cms/classes/MediaLibrary.php @@ -125,9 +125,9 @@ class MediaLibrary /** * Finds files in the Library. * @param string $searchTerm Specifies the search term. - * @param string $sortBy Determines the sorting preference. + * @param string $sortBy Determines the sorting preference. * Supported values are 'title', 'size', 'lastModified' (see SORT_BY_XXX class constants). - * @param string $filter Determines the document type filtering preference. + * @param string $filter Determines the document type filtering preference. * Supported values are 'image', 'video', 'audio', 'document' (see FILE_TYPE_XXX constants of MediaLibraryItem class). * @return array Returns an array of MediaLibraryItem objects. */ @@ -384,10 +384,31 @@ class MediaLibrary if ($normalizeOnly) return $path; - if (strpos($path, '..') !== false) - throw new ApplicationException(Lang::get('cms::lang.media.invalid_path', ['path'=>$path])); + $regexDirectorySeparator = preg_quote(DIRECTORY_SEPARATOR, '/'); + $regexDot = preg_quote('.', '/'); + $regex = [ - if (strpos($path, './') !== false || strpos($path, '//') !== false) + /** + * Checks for parent or current directory reference at beginning of path + */ + '(^'.$regexDot.'+?'.$regexDirectorySeparator.')', + + /** + * Check for parent or current directory reference in middle of path + */ + '('.$regexDirectorySeparator.$regexDot.'+?'.$regexDirectorySeparator.')', + + /** + * Check for parent or current directory reference at end of path + */ + '('.$regexDirectorySeparator.$regexDot.'+?$)', + ]; + + /** + * Now, let's combine everything to one regex + */ + $regex = '/'.implode('|', $regex).'/'; + if (preg_match($regex, $path) !== 0 || strpos($path, '//') !== false) throw new ApplicationException(Lang::get('cms::lang.media.invalid_path', ['path'=>$path])); return $path; @@ -537,7 +558,7 @@ class MediaLibrary /** * Sorts the item list by title, size or last modified date. * @param array $itemList Specifies the item list to sort. - * @param string $sortBy Determines the sorting preference. + * @param string $sortBy Determines the sorting preference. * Supported values are 'title', 'size', 'lastModified' (see SORT_BY_XXX class constants). */ protected function sortItemList(&$itemList, $sortBy) @@ -567,7 +588,7 @@ class MediaLibrary /** * Filters item list by file type. * @param array $itemList Specifies the item list to sort. - * @param string $filter Determines the document type filtering preference. + * @param string $filter Determines the document type filtering preference. * Supported values are 'image', 'video', 'audio', 'document' (see FILE_TYPE_XXX constants of MediaLibraryItem class). */ protected function filterItemList(&$itemList, $filter) @@ -586,7 +607,7 @@ class MediaLibrary /** * Initializes and returns the Media Library disk. - * This method should always be used instead of trying to access the + * This method should always be used instead of trying to access the * $storageDisk property directly as initializing the disc requires * communicating with the remote storage. * @return mixed Returns the storage disk object.