Use PathHelper::ensurePathIsContained

Andrew Welch · Andrew Welch · commit 0af8a8e98df2 · 2020-12-21T14:57:32.000-05:00
diff --git a/src/controllers/DefaultController.php b/src/controllers/DefaultController.php
@@ -14,8 +14,10 @@
 
 use Craft;
 use craft\errors\AssetDisallowedExtensionException;
-use craft\helpers\Json;
+use craft\helpers\Json as JsonHelper;
+use craft\helpers\Path as PathHelper;
 use craft\web\Controller;
+use yii\web\BadRequestHttpException;
 
 /**
  * @author    nystudio107
@@ -65,7 +67,10 @@ public function actionDownloadFile($url)
     {
         $filePath = parse_url($url, PHP_URL_PATH);
         // Remove any relative paths
-        $filePath = preg_replace('/\.\.\/+/', '', $filePath);
+        if (!PathHelper::ensurePathIsContained($filePath)) {
+            throw new BadRequestHttpException('Invalid resource path: ' . $filePath);
+        }
+        // Only work for `allowedFileExtensions` file extensions
         $extension = strtolower(pathinfo($filePath, PATHINFO_EXTENSION));
         $allowedExtensions = Craft::$app->getConfig()->getGeneral()->allowedFileExtensions;
         if (!in_array($extension, $allowedExtensions, true)) {
@@ -164,6 +169,6 @@ public function actionProgress($filename)
             }
         }
 
-        return Json::encode($result);
+        return JsonHelper::encode($result);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,10 @@`
`14`	`14`
`15`	`15`	`use Craft;`
`16`	`16`	`use craft\errors\AssetDisallowedExtensionException;`
`17`		`-use craft\helpers\Json;`
	`17`	`+use craft\helpers\Json as JsonHelper;`
	`18`	`+use craft\helpers\Path as PathHelper;`
`18`	`19`	`use craft\web\Controller;`
	`20`	`+use yii\web\BadRequestHttpException;`
`19`	`21`
`20`	`22`	`/**`
`21`	`23`	`* @author nystudio107`
`@@ -65,7 +67,10 @@ public function actionDownloadFile($url)`
`65`	`67`	`{`
`66`	`68`	`$filePath = parse_url($url, PHP_URL_PATH);`
`67`	`69`	`// Remove any relative paths`
`68`		`- $filePath = preg_replace('/\.\.\/+/', '', $filePath);`
	`70`	`+ if (!PathHelper::ensurePathIsContained($filePath)) {`
	`71`	`+ throw new BadRequestHttpException('Invalid resource path: ' . $filePath);`
	`72`	`+ }`
	`73`	+ // Only work for `allowedFileExtensions` file extensions
`69`	`74`	`$extension = strtolower(pathinfo($filePath, PATHINFO_EXTENSION));`
`70`	`75`	`$allowedExtensions = Craft::$app->getConfig()->getGeneral()->allowedFileExtensions;`
`71`	`76`	`if (!in_array($extension, $allowedExtensions, true)) {`
`@@ -164,6 +169,6 @@ public function actionProgress($filename)`
`164`	`169`	`}`
`165`	`170`	`}`
`166`	`171`
`167`		`- return Json::encode($result);`
	`172`	`+ return JsonHelper::encode($result);`
`168`	`173`	`}`
`169`	`174`	`}`