Merge branch 'hotline#32417_pb_envoi_mail_fusion_pour_adulte' into 'stable'

Hotline#32417 pb envoi mail fusion pour adulte See merge request !1229

Merge branch 'hotline#32417_pb_envoi_mail_fusion_pour_adulte' into 'stable'
Hotline#32417 pb envoi mail fusion pour adulte See merge request !1229
9b36e615 · Patrick Barroca · c1362332 · 2717dd84 · 9b36e615 · 9b36e615
Commit 9b36e615 authored 9 years ago by Patrick Barroca
--- a/VERSIONS_HOTLINE/32417
+++ b/VERSIONS_HOTLINE/32417
+ - ticket #32417 : Explorateur de fichiers : Corrige une erreur d'autorisation pour les fichiers dont le nom contient ".."
\ No newline at end of file
--- a/library/Class/FileManager.php
+++ b/library/Class/FileManager.php
@@ -21,9 +21,12 @@

 class Class_FileManager {
  public function isAuthorized($path) {
-    return Class_Users::isCurrentUserCanAccesBackend()
-      && false !== strpos($path, USERFILESURL)
-      && false === strpos($path, '..');
+    if (!Class_Users::isCurrentUserCanAccesBackend()
+        || false === strpos($path, USERFILESURL))
+      return false;
+
+    $parts = explode('/', $path);
+    return !in_array('..', $parts);
  }
 }


--- a/tests/library/Class/FileManagerTest.php
+++ b/tests/library/Class/FileManagerTest.php
@@ -91,6 +91,15 @@ class FileManagerAsAdminTest extends ModelTestCase {
  public function upperDirectoryShouldNotBeAuthorized() {
    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '../'));
  }
+
+
+  /**
+   * @test
+   * @see http://forge.afi-sa.fr/issues/32417
+   */
+  public function filenameContainingTwoDotsShouldBeAuthorized() {
+    $this->assertTrue($this->_filemanager->isAuthorized(USERFILESURL . '/Spectacle_14_nov..pdf'));
+  }
 }

 ?>
\ No newline at end of file