Handle correctly symlinked files in server content files

2020-09-09 01:37:24 -05:00 · 2020-09-09 01:37:24 -05:00 · 5eb44de02d
parent 24bcbcb281
commit 5eb44de02d
1 changed files with 31 additions and 2 deletions
--- a/src/Orbit/Module/Statics.php
+++ b/src/Orbit/Module/Statics.php
@ -28,8 +28,8 @@ class Statics extends Module
        $resource_path = rtrim($real_root_dir, "/") . $request->path;

        // Check if within the server root
-        // Realpath will translate any '..' in the path
-        $realpath = realpath($resource_path);
+        // getAbsolutePath will translate any '..' in the path
+        $realpath = self::getAbsolutePath($resource_path);
        if ($realpath && strpos($realpath, $real_root_dir) !== 0) {
            $response->setStatus(Response::STATUS_PERMANENT_FAILURE);
            $response->setMeta("Invalid location");
@ -165,4 +165,33 @@ class Statics extends Module
    {
        return (bool)(fileperms($file) & self::WORLD_READABLE);
    }
+
+    /**
+     * Get an absolute path for a filename
+     *
+     * Translates .. and . to the real locations. The reason I am not using
+     * realpath() to do it is it resolves symlinks
+     *
+     * @param string $path
+     * @return string
+     */
+    public static function getAbsolutePath($path): string
+    {
+        $path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path);
+        $parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen');
+        $absolutes = [];
+
+        foreach ($parts as $part) {
+            if ('.' == $part) {
+                continue;
+            }
+            if ('..' == $part) {
+                array_pop($absolutes);
+            } else {
+                $absolutes[] = $part;
+            }
+        }
+
+        return "/" . implode(DIRECTORY_SEPARATOR, $absolutes);
+    }
 }