mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
Forbid "." and ".." in slugs
Summary: Fixes T4614. These don't do anything bad or dangerous, but generate unusable pages. Test Plan: - Added and executed unit tests. - Tried to create pages like `/../`, `/begin/../end/`, etc. Reviewers: btrahan, chad Reviewed By: chad Subscribers: aran, epriestley Maniphest Tasks: T4614 Differential Revision: https://secure.phabricator.com/D8535
This commit is contained in:
parent
3257372585
commit
f1637961e7
2 changed files with 28 additions and 0 deletions
|
@ -10,6 +10,24 @@ final class PhabricatorSlug {
|
|||
$slug = preg_replace('@_+@', '_', $slug);
|
||||
$slug = trim($slug, '_');
|
||||
|
||||
// Specifically rewrite these slugs. It's OK to have a slug like "a..b",
|
||||
// but not a slug which is only "..".
|
||||
|
||||
// NOTE: These are explicitly not pht()'d, because they should be stable
|
||||
// across languages.
|
||||
|
||||
$replace = array(
|
||||
'.' => 'dot',
|
||||
'..' => 'dotdot',
|
||||
);
|
||||
|
||||
foreach ($replace as $pattern => $replacement) {
|
||||
$pattern = preg_quote($pattern, '@');
|
||||
$slug = preg_replace(
|
||||
'@(^|/)'.$pattern.'(\z|/)@',
|
||||
'\1'.$replacement.'\2', $slug);
|
||||
}
|
||||
|
||||
return $slug.'/';
|
||||
}
|
||||
|
||||
|
|
|
@ -17,6 +17,16 @@ final class PhabricatorSlugTestCase extends PhabricatorTestCase {
|
|||
"T\x00O\x00D\x00O" => "t_o_d_o/",
|
||||
'x#%&+=\\?<> y' => 'x_y/',
|
||||
"\xE2\x98\x83" => "\xE2\x98\x83/",
|
||||
'..' => 'dotdot/',
|
||||
'../' => 'dotdot/',
|
||||
'/../' => 'dotdot/',
|
||||
'a/b' => 'a/b/',
|
||||
'a//b' => 'a/b/',
|
||||
'a/../b/' => 'a/dotdot/b/',
|
||||
'/../a' => 'dotdot/a/',
|
||||
'../a' => 'dotdot/a/',
|
||||
'a/..' => 'a/dotdot/',
|
||||
'a/../' => 'a/dotdot/',
|
||||
);
|
||||
|
||||
foreach ($slugs as $slug => $normal) {
|
||||
|
|
Loading…
Reference in a new issue