Fix a bug where storage objects allow deleting of files in other storage objects.
This commit is contained in:
Colin Kuskie
parent
9fe8fc782e
commit
99d7037532
2 changed files with 33 additions and 1 deletions
|
|
@ -465,6 +465,7 @@ it doesn't.
|
|||
sub deleteFile {
|
||||
my $self = shift;
|
||||
my $filename = shift;
|
||||
return undef if $filename =~ m{\.\./}; ##prevent deleting files outside of this object
|
||||
unlink($self->getPath($filename));
|
||||
}
|
||||
|
||||
|
|
@ -774,6 +775,20 @@ sub getPath {
|
|||
}
|
||||
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 getPathFrag ( )
|
||||
|
||||
Returns the internal, upload dir specific part of the path.
|
||||
|
||||
=cut
|
||||
|
||||
sub getPathFrag {
|
||||
my $self = shift;
|
||||
return join '/', $self->{_part1}, $self->{_part2}, $self->getFileId;
|
||||
}
|
||||
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 getUrl ( [ file ] )
|
||||
|
|
|
|||
19
t/Storage.t
19
t/Storage.t
|
|
@ -49,7 +49,7 @@ my $extensionTests = [
|
|||
},
|
||||
];
|
||||
|
||||
plan tests => 70 + scalar @{ $extensionTests }; # increment this value for each test you create
|
||||
plan tests => 74 + scalar @{ $extensionTests }; # increment this value for each test you create
|
||||
|
||||
my $session = WebGUI::Test->session;
|
||||
|
||||
|
|
@ -83,6 +83,14 @@ is( $storage1->getErrorCount, 0, "No errors during path creation");
|
|||
|
||||
is( $storage1->getLastError, undef, "No errors during path creation");
|
||||
|
||||
####################################################
|
||||
#
|
||||
# getPathFrag
|
||||
#
|
||||
####################################################
|
||||
|
||||
is( $storage1->getPathFrag, 'fo/ob/foobar');
|
||||
|
||||
####################################################
|
||||
#
|
||||
# getPath, getUrl
|
||||
|
|
@ -273,6 +281,14 @@ is($storage1->deleteFile("testfile-hash-renamed.file"), 1, 'deleteFile: deleted
|
|||
is($storage1->deleteFile("WebGUI.pm"), 1, 'deleteFile: deleted another file');
|
||||
cmp_bag($storage1->getFiles, [$filename], 'deleteFile: storage1 has only 1 file');
|
||||
|
||||
##Test for out of object file deletion
|
||||
my $hackedStore = WebGUI::Storage->create($session);
|
||||
$hackedStore->addFileFromScalar('fileToHack', 'Can this file be deleted from another object?');
|
||||
ok(-e $hackedStore->getPath('fileToHack'), 'set up a file for deleteFile to try and delete illegally');
|
||||
my $hackedPath = '../../../'.$hackedStore->getPathFrag().'/fileToHack';
|
||||
is($storage1->deleteFile($hackedPath), undef, 'deleteFile into another storage returns undef');
|
||||
ok(-e $hackedStore->getPath('fileToHack'), 'deleteFile did not delete the file in another storage object');
|
||||
|
||||
####################################################
|
||||
#
|
||||
# createTemp
|
||||
|
|
@ -362,6 +378,7 @@ END {
|
|||
$storage1, $storage2, $storage3, $copiedStorage,
|
||||
$secondCopy, $s3copy, $tempStor, $tarStorage,
|
||||
$untarStorage, $fileStore,
|
||||
$hackedStore,
|
||||
) {
|
||||
ref $stor eq "WebGUI::Storage" and $stor->delete;
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue