Commit 9622fbdf authored by Lukas Reschke's avatar Lukas Reschke
Browse files

Filter potential dangerous characters in path name

We should not allow / or \ in the postfix here.
parent 746be98e
......@@ -54,10 +54,15 @@ class TempManager implements ITempManager {
$this->log = $logger;
}
/**
* @param string $postFix
* @return string
*/
protected function generatePath($postFix) {
if ($postFix) {
$postFix = '.' . ltrim($postFix, '.');
}
$postFix = str_replace(['\\', '/'], '', $postFix);
return $this->tmpBaseDir . '/oc_tmp_' . md5(time() . rand()) . $postFix;
}
......
......@@ -151,4 +151,17 @@ class TempManager extends \Test\TestCase {
->with($this->stringContains('Can not create a temporary folder in directory'));
$this->assertFalse($manager->getTemporaryFolder());
}
public function testGeneratePathTraversal() {
$logger = $this->getMock('\Test\NullLogger');
$tmpManager = \Test_Helper::invokePrivate(
$this->getManager($logger),
'generatePath',
['../Traversal\\../FileName']
);
$this->assertStringEndsNotWith('./Traversal\\../FileName', $tmpManager);
$this->assertStringEndsWith('.Traversal..FileName', $tmpManager);
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment