1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-10 00:42:41 +01:00

Forbid "." and ".." in slugs

Summary: Fixes T4614. These don't do anything bad or dangerous, but generate unusable pages.

Test Plan:
  - Added and executed unit tests.
  - Tried to create pages like `/../`, `/begin/../end/`, etc.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: aran, epriestley

Maniphest Tasks: T4614

Differential Revision: https://secure.phabricator.com/D8535
This commit is contained in:
epriestley 2014-03-14 08:54:26 -07:00
parent 3257372585
commit f1637961e7
2 changed files with 28 additions and 0 deletions

View file

@ -10,6 +10,24 @@ final class PhabricatorSlug {
$slug = preg_replace('@_+@', '_', $slug);
$slug = trim($slug, '_');
// Specifically rewrite these slugs. It's OK to have a slug like "a..b",
// but not a slug which is only "..".
// NOTE: These are explicitly not pht()'d, because they should be stable
// across languages.
$replace = array(
'.' => 'dot',
'..' => 'dotdot',
);
foreach ($replace as $pattern => $replacement) {
$pattern = preg_quote($pattern, '@');
$slug = preg_replace(
'@(^|/)'.$pattern.'(\z|/)@',
'\1'.$replacement.'\2', $slug);
}
return $slug.'/';
}

View file

@ -17,6 +17,16 @@ final class PhabricatorSlugTestCase extends PhabricatorTestCase {
"T\x00O\x00D\x00O" => "t_o_d_o/",
'x#%&+=\\?<> y' => 'x_y/',
"\xE2\x98\x83" => "\xE2\x98\x83/",
'..' => 'dotdot/',
'../' => 'dotdot/',
'/../' => 'dotdot/',
'a/b' => 'a/b/',
'a//b' => 'a/b/',
'a/../b/' => 'a/dotdot/b/',
'/../a' => 'dotdot/a/',
'../a' => 'dotdot/a/',
'a/..' => 'a/dotdot/',
'a/../' => 'a/dotdot/',
);
foreach ($slugs as $slug => $normal) {