From 1480380af6d551ce356b1dfa21490d57c7fcf151 Mon Sep 17 00:00:00 2001 From: Philipp Holzer Date: Sun, 14 Apr 2019 16:17:34 +0200 Subject: [PATCH] Basepath Hardening --- src/Util/BasePath.php | 12 +++++-- tests/src/Util/BasePathTest.php | 56 +++++++++++++++++++++++++++------ 2 files changed, 55 insertions(+), 13 deletions(-) diff --git a/src/Util/BasePath.php b/src/Util/BasePath.php index fc9c3b5939..f29c2e864e 100644 --- a/src/Util/BasePath.php +++ b/src/Util/BasePath.php @@ -19,15 +19,21 @@ class BasePath */ public static function create($basePath, array $server = []) { - if (!$basePath && !empty($server['DOCUMENT_ROOT'])) { + if ((!$basePath || !is_dir($basePath)) && !empty($server['DOCUMENT_ROOT'])) { $basePath = $server['DOCUMENT_ROOT']; } - if (!$basePath && !empty($server['PWD'])) { + if ((!$basePath || !is_dir($basePath)) && !empty($server['PWD'])) { $basePath = $server['PWD']; } - return self::getRealPath($basePath); + $basePath = self::getRealPath($basePath); + + if (!is_dir($basePath)) { + throw new \Exception(sprintf('\'%s\' is not a valid basepath', $basePath)); + } + + return $basePath; } /** diff --git a/tests/src/Util/BasePathTest.php b/tests/src/Util/BasePathTest.php index bb23cb650d..c31adb079e 100644 --- a/tests/src/Util/BasePathTest.php +++ b/tests/src/Util/BasePathTest.php @@ -6,24 +6,60 @@ use Friendica\Util\BasePath; class BasePathTest extends MockedTest { + public function dataPaths() + { + return [ + 'fullPath' => [ + 'server' => [], + 'input' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config', + 'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config', + ], + 'relative' => [ + 'server' => [], + 'input' => 'config', + 'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config', + ], + 'document_root' => [ + 'server' => [ + 'DOCUMENT_ROOT' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config', + ], + 'input' => '/noooop', + 'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config', + ], + 'pwd' => [ + 'server' => [ + 'PWD' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config', + ], + 'input' => '/noooop', + 'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config', + ], + 'no_overwrite' => [ + 'server' => [ + 'DOCUMENT_ROOT' => dirname(__DIR__, 3), + 'PWD' => dirname(__DIR__, 3), + ], + 'input' => 'config', + 'output' => dirname(__DIR__, 3) . DIRECTORY_SEPARATOR . 'config', + ] + ]; + } + /** * Test the basepath determination + * @dataProvider dataPaths */ - public function testDetermineBasePath() + public function testDetermineBasePath(array $server, $input, $output) { - $serverArr = ['DOCUMENT_ROOT' => '/invalid', 'PWD' => '/invalid2']; - $this->assertEquals('/valid', BasePath::create('/valid', $serverArr)); + $this->assertEquals($output, BasePath::create($input, $server)); } /** - * Test the basepath determination with DOCUMENT_ROOT and PWD + * Test the basepath determination with a complete wrong path + * @expectedException \Exception + * @expectedExceptionMessageRegExp /(.*) is not a valid basepath/ */ - public function testDetermineBasePathWithServer() + public function testFailedBasePath() { - $serverArr = ['DOCUMENT_ROOT' => '/valid']; - $this->assertEquals('/valid', BasePath::create('', $serverArr)); - - $serverArr = ['PWD' => '/valid_too']; - $this->assertEquals('/valid_too', BasePath::create('', $serverArr)); + BasePath::create('/now23452sgfgas', []); } }