Forbid "." and ".." in slugs

Summary: Fixes T4614. These don't do anything bad or dangerous, but generate unusable pages.

Test Plan:
  - Added and executed unit tests.
  - Tried to create pages like `/../`, `/begin/../end/`, etc.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: aran, epriestley

Maniphest Tasks: T4614

Differential Revision: https://secure.phabricator.com/D8535

src/infrastructure/util/PhabricatorSlug.php

@@ -10,6 +10,24 @@ final class PhabricatorSlug {
     $slug = preg_replace('@_+@', '_', $slug);
     $slug = trim($slug, '_');
 
+    // Specifically rewrite these slugs. It's OK to have a slug like "a..b",
+    // but not a slug which is only "..".
+
+    // NOTE: These are explicitly not pht()'d, because they should be stable
+    // across languages.
+
+    $replace = array(
+      '.'   => 'dot',
+      '..'  => 'dotdot',
+    );
+
+    foreach ($replace as $pattern => $replacement) {
+      $pattern = preg_quote($pattern, '@');
+      $slug = preg_replace(
+        '@(^|/)'.$pattern.'(\z|/)@',
+        '\1'.$replacement.'\2', $slug);
+    }
+
     return $slug.'/';
   }
 

src/infrastructure/util/__tests__/PhabricatorSlugTestCase.php

@@ -17,6 +17,16 @@ final class PhabricatorSlugTestCase extends PhabricatorTestCase {
       "T\x00O\x00D\x00O"  => "t_o_d_o/",
       'x#%&+=\\?<> y'     => 'x_y/',
       "\xE2\x98\x83"      => "\xE2\x98\x83/",
+      '..'                => 'dotdot/',
+      '../'               => 'dotdot/',
+      '/../'              => 'dotdot/',
+      'a/b'               => 'a/b/',
+      'a//b'              => 'a/b/',
+      'a/../b/'           => 'a/dotdot/b/',
+      '/../a'             => 'dotdot/a/',
+      '../a'              => 'dotdot/a/',
+      'a/..'              => 'a/dotdot/',
+      'a/../'             => 'a/dotdot/',
     );
 
     foreach ($slugs as $slug => $normal) {