Block files with dangerous names from coming in via Storage untar.
This commit is contained in:
parent
9f724a7193
commit
13a222f6ce
3 changed files with 20 additions and 3 deletions
|
|
@ -4,6 +4,7 @@
|
||||||
- fixed possible vulnerability loading template parser
|
- fixed possible vulnerability loading template parser
|
||||||
- fixed possible vulnerability loading help files
|
- fixed possible vulnerability loading help files
|
||||||
- fixed possible vulnerability with filenames in storage locations
|
- fixed possible vulnerability with filenames in storage locations
|
||||||
|
- fixed possible vulnerability with extracting tar files in storage locations
|
||||||
|
|
||||||
7.9.11
|
7.9.11
|
||||||
- fixed #11755: New cart does not update shipping methods correctly
|
- fixed #11755: New cart does not update shipping methods correctly
|
||||||
|
|
|
||||||
|
|
@ -1844,6 +1844,13 @@ sub untar {
|
||||||
}, ".");
|
}, ".");
|
||||||
$self->_changeOwner(@files);
|
$self->_changeOwner(@files);
|
||||||
|
|
||||||
|
##Prevent dangerous files from being added to the storage location via untar
|
||||||
|
FILE: foreach my $file (@files) {
|
||||||
|
my $blockname = $temp->block_extensions($file);
|
||||||
|
next FILE if $blockname eq $file;
|
||||||
|
$temp->renameFile($file, $blockname);
|
||||||
|
}
|
||||||
|
|
||||||
chdir $originalDir;
|
chdir $originalDir;
|
||||||
return $temp;
|
return $temp;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
15
t/Storage.t
15
t/Storage.t
|
|
@ -31,8 +31,7 @@ my $cwd = Cwd::cwd();
|
||||||
|
|
||||||
my ($extensionTests, $fileIconTests, $block_extension_tests) = setupDataDrivenTests($session);
|
my ($extensionTests, $fileIconTests, $block_extension_tests) = setupDataDrivenTests($session);
|
||||||
|
|
||||||
my $numTests = 140; # increment this value for each test you create
|
plan tests => 141
|
||||||
plan tests => 140
|
|
||||||
+ scalar @{ $extensionTests }
|
+ scalar @{ $extensionTests }
|
||||||
+ scalar @{ $fileIconTests }
|
+ scalar @{ $fileIconTests }
|
||||||
+ scalar @{ $block_extension_tests }
|
+ scalar @{ $block_extension_tests }
|
||||||
|
|
@ -413,10 +412,20 @@ my $untarStorage = $tarStorage->untar('tar.tar');
|
||||||
addToCleanup($untarStorage);
|
addToCleanup($untarStorage);
|
||||||
isa_ok( $untarStorage, "WebGUI::Storage", "untar: returns a WebGUI::Storage object");
|
isa_ok( $untarStorage, "WebGUI::Storage", "untar: returns a WebGUI::Storage object");
|
||||||
is (substr($untarStorage->getPathFrag, 0, 5), 'temp/', 'untar: puts stuff in the temp directory');
|
is (substr($untarStorage->getPathFrag, 0, 5), 'temp/', 'untar: puts stuff in the temp directory');
|
||||||
##Note, getFiles will NOT recurse, so do not use a deep directory structure here
|
|
||||||
cmp_bag($untarStorage->getFiles, $copiedStorage->getFiles, 'tar and untar loop preserve all files');
|
cmp_bag($untarStorage->getFiles, $copiedStorage->getFiles, 'tar and untar loop preserve all files');
|
||||||
isnt($untarStorage->getPath, $tarStorage->getPath, 'untar did not reuse the same path as the tar storage object');
|
isnt($untarStorage->getPath, $tarStorage->getPath, 'untar did not reuse the same path as the tar storage object');
|
||||||
|
|
||||||
|
$tarStorage->addFileFromFilesystem(WebGUI::Test->getTestCollateralPath('extensions.tar'));
|
||||||
|
my $extensionStorage = $tarStorage->untar('extensions.tar');
|
||||||
|
WebGUI::Test->addToCleanup($extensionStorage);
|
||||||
|
use Data::Dumper;
|
||||||
|
diag Dumper $extensionStorage->getFiles;
|
||||||
|
cmp_bag(
|
||||||
|
$extensionStorage->getFiles,
|
||||||
|
[ qw{ extension_pm.txt extension_perl.txt extension_html.txt extensions extensions/extension_html.txt }],
|
||||||
|
'untar fixes file extensions'
|
||||||
|
);
|
||||||
|
|
||||||
####################################################
|
####################################################
|
||||||
#
|
#
|
||||||
# clear
|
# clear
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue