Merge pull request #456 from cakephp/pages-controller

Fix directory traversal of .ctp files
cakephp · Nov 28, 2016 · 2e07475 · 2e07475
2 parents a8e8a55 + 41ecd38
commit 2e07475
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/src/Controller/PagesController.php b/src/Controller/PagesController.php
@@ -15,6 +15,7 @@
 namespace App\Controller;
 
 use Cake\Core\Configure;
+use Cake\Network\Exception\ForbiddenException;
 use Cake\Network\Exception\NotFoundException;
 use Cake\View\Exception\MissingTemplateException;
 
@@ -32,6 +33,7 @@ class PagesController extends AppController
  * Displays a view
  *
  * @return void|\Cake\Network\Response
+ * @throws \Cake\Network\Exception\ForbiddenException When a directory traversal attempt.
  * @throws \Cake\Network\Exception\NotFoundException When the view file could not
  * be found or \Cake\View\Exception\MissingTemplateException in debug mode.
  */
@@ -43,6 +45,9 @@ public function display()
  if (!$count) {
  return $this->redirect('/');
  }
+ if (in_array('..', $path, true) || in_array('.', $path, true)) {
+ throw new ForbiddenException();
+ }
  $page = $subpage = null;
 
  if (!empty($path[0])) {

diff --git a/tests/TestCase/Controller/PagesControllerTest.php b/tests/TestCase/Controller/PagesControllerTest.php
@@ -82,4 +82,16 @@ public function testMissingTemplateInDebug()
  $this->assertResponseContains('Stacktrace');
  $this->assertResponseContains('not_existing.ctp');
  }
+
+ /**
+ * Test directory traversal protection
+ *
+ * @return void
+ */
+ public function testDirectoryTraversalProtection()
+ {
+ $this->get('/pages/../Layout/ajax');
+ $this->assertResponseCode(403);
+ $this->assertResponseContains('Forbidden');
+ }
 }