Block files with dangerous names from coming in via Storage untar.
This commit is contained in:
Colin Kuskie
parent
9f724a7193
commit
13a222f6ce
3 changed files with 20 additions and 3 deletions
|
|
@ -4,6 +4,7 @@
|
|||
- fixed possible vulnerability loading template parser
|
||||
- fixed possible vulnerability loading help files
|
||||
- fixed possible vulnerability with filenames in storage locations
|
||||
- fixed possible vulnerability with extracting tar files in storage locations
|
||||
|
||||
7.9.11
|
||||
- fixed #11755: New cart does not update shipping methods correctly
|
||||
|
|
|
|||
|
|
@ -1844,6 +1844,13 @@ sub untar {
|
|||
}, ".");
|
||||
$self->_changeOwner(@files);
|
||||
|
||||
##Prevent dangerous files from being added to the storage location via untar
|
||||
FILE: foreach my $file (@files) {
|
||||
my $blockname = $temp->block_extensions($file);
|
||||
next FILE if $blockname eq $file;
|
||||
$temp->renameFile($file, $blockname);
|
||||
}
|
||||
|
||||
chdir $originalDir;
|
||||
return $temp;
|
||||
}
|
||||
|
|
|
|||
15
t/Storage.t
15
t/Storage.t
|
|
@ -31,8 +31,7 @@ my $cwd = Cwd::cwd();
|
|||
|
||||
my ($extensionTests, $fileIconTests, $block_extension_tests) = setupDataDrivenTests($session);
|
||||
|
||||
my $numTests = 140; # increment this value for each test you create
|
||||
plan tests => 140
|
||||
plan tests => 141
|
||||
+ scalar @{ $extensionTests }
|
||||
+ scalar @{ $fileIconTests }
|
||||
+ scalar @{ $block_extension_tests }
|
||||
|
|
@ -413,10 +412,20 @@ my $untarStorage = $tarStorage->untar('tar.tar');
|
|||
addToCleanup($untarStorage);
|
||||
isa_ok( $untarStorage, "WebGUI::Storage", "untar: returns a WebGUI::Storage object");
|
||||
is (substr($untarStorage->getPathFrag, 0, 5), 'temp/', 'untar: puts stuff in the temp directory');
|
||||
##Note, getFiles will NOT recurse, so do not use a deep directory structure here
|
||||
cmp_bag($untarStorage->getFiles, $copiedStorage->getFiles, 'tar and untar loop preserve all files');
|
||||
isnt($untarStorage->getPath, $tarStorage->getPath, 'untar did not reuse the same path as the tar storage object');
|
||||
|
||||
$tarStorage->addFileFromFilesystem(WebGUI::Test->getTestCollateralPath('extensions.tar'));
|
||||
my $extensionStorage = $tarStorage->untar('extensions.tar');
|
||||
WebGUI::Test->addToCleanup($extensionStorage);
|
||||
use Data::Dumper;
|
||||
diag Dumper $extensionStorage->getFiles;
|
||||
cmp_bag(
|
||||
$extensionStorage->getFiles,
|
||||
[ qw{ extension_pm.txt extension_perl.txt extension_html.txt extensions extensions/extension_html.txt }],
|
||||
'untar fixes file extensions'
|
||||
);
|
||||
|
||||
####################################################
|
||||
#
|
||||
# clear
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue