From 3ac79dbc1ecc71a1d704992366a0512d46af7785 Mon Sep 17 00:00:00 2001 From: Roland Haeder Date: Thu, 15 May 2014 22:41:23 +0200 Subject: [PATCH] Use realpath() to secure file and path names. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Roland Häder --- .../directory/class_FrameworkDirectoryPointer.php | 3 +++ .../file_directories/input/class_FrameworkFileInputPointer.php | 3 +++ .../io/class_FrameworkFileInputOutputPointer.php | 3 +++ .../output/class_FrameworkFileOutputPointer.php | 3 +++ 4 files changed, 12 insertions(+) diff --git a/inc/classes/main/file_directories/directory/class_FrameworkDirectoryPointer.php b/inc/classes/main/file_directories/directory/class_FrameworkDirectoryPointer.php index da220403..a04a8dd4 100644 --- a/inc/classes/main/file_directories/directory/class_FrameworkDirectoryPointer.php +++ b/inc/classes/main/file_directories/directory/class_FrameworkDirectoryPointer.php @@ -68,6 +68,9 @@ class FrameworkDirectoryPointer extends BaseFrameworkSystem { * @todo Get rid of inConstructor, could be old-lost code. */ public static final function createFrameworkDirectoryPointer ($pathName, $inConstructor = FALSE) { + // Secure with realpath() + $pathName = realpath($pathName); + // Some pre-sanity checks... if (is_null($pathName)) { // No pathname given diff --git a/inc/classes/main/file_directories/input/class_FrameworkFileInputPointer.php b/inc/classes/main/file_directories/input/class_FrameworkFileInputPointer.php index f70ef5a1..bca7a18b 100644 --- a/inc/classes/main/file_directories/input/class_FrameworkFileInputPointer.php +++ b/inc/classes/main/file_directories/input/class_FrameworkFileInputPointer.php @@ -42,6 +42,9 @@ class FrameworkFileInputPointer extends BaseFileIo { * @return void */ public static final function createFrameworkFileInputPointer ($fileName) { + // Secure with realpath() + $fileName = realpath($fileName); + // Some pre-sanity checks... if ((is_null($fileName)) || (empty($fileName))) { // No filename given diff --git a/inc/classes/main/file_directories/io/class_FrameworkFileInputOutputPointer.php b/inc/classes/main/file_directories/io/class_FrameworkFileInputOutputPointer.php index 824df452..04d8cbc9 100644 --- a/inc/classes/main/file_directories/io/class_FrameworkFileInputOutputPointer.php +++ b/inc/classes/main/file_directories/io/class_FrameworkFileInputOutputPointer.php @@ -44,6 +44,9 @@ class FrameworkFileInputOutputPointer extends BaseFileIo { * @throws FileIoException If fopen() returns not a file resource */ public static final function createFrameworkFileInputOutputPointer ($fileName) { + // Secure with realpath() + $fileName = realpath($fileName); + // Some pre-sanity checks... if ((is_null($fileName)) || (empty($fileName))) { // No filename given diff --git a/inc/classes/main/file_directories/output/class_FrameworkFileOutputPointer.php b/inc/classes/main/file_directories/output/class_FrameworkFileOutputPointer.php index 1af2697b..907495c7 100644 --- a/inc/classes/main/file_directories/output/class_FrameworkFileOutputPointer.php +++ b/inc/classes/main/file_directories/output/class_FrameworkFileOutputPointer.php @@ -43,6 +43,9 @@ class FrameworkFileOutputPointer extends BaseFileIo { * @return void */ public static final function createFrameworkFileOutputPointer ($fileName, $mode) { + // Secure with realpath() + $fileName = realpath($fileName); + // Some pre-sanity checks... if (is_null($fileName)) { // No filename given -- 2.39.2