hotline #67793 : adding .htaccess is forbidden

d89d51da · Patrick Barroca · 5eb2e4b9 · d89d51da · d89d51da · d89d51da
Commit d89d51da authored 7 years ago by Patrick Barroca
--- a/VERSIONS_HOTLINE/67693
+++ b/VERSIONS_HOTLINE/67693
+ - ticket #67693 : Administration : Explorateur de fichier : il est désormais impossible d'envoyer un fichier .htaccess sur le serveur
\ No newline at end of file
--- a/ckeditor/core_five_filemanager/connectors/php/filemanager.config.php
+++ b/ckeditor/core_five_filemanager/connectors/php/filemanager.config.php
@@ -31,8 +31,11 @@ function auth() {
  require_once($base_path . 'cosmogramme/storm_init.php');

  $path = array_key_exists('path', $_GET) ? $_GET['path'] : '';
-  $path = array_key_exists('currentpath', $_POST) ? $_POST['currentpath'] : $path;
-  $path = array_key_exists('mode', $_GET) && 'rename' == $_GET['mode'] && array_key_exists('old', $_GET)
+
+  $path = array_key_exists('currentpath', $_POST) && array_key_exists('filename', $_POST)
+    ? $_POST['currentpath'] . $_POST['filename'] : $path;
+
+  $path = (array_key_exists('mode', $_GET) && 'rename' == $_GET['mode'] && array_key_exists('old', $_GET))
    ? $_GET['old'] : $path;

  return (new Class_FileManager())->isAuthorized($path);

--- a/library/Class/FileManager.php
+++ b/library/Class/FileManager.php
@@ -26,9 +26,15 @@ class Class_FileManager {
      return false;

    $parts = explode('/', $path);
-    return !in_array('..', $parts);
+    foreach ($parts as $part)
+      if ($this->_isForbidden($part))
+        return false;
+
+    return true;
  }
-}


-?>
\ No newline at end of file
+  protected function _isForbidden($part) {
+    return in_array($part, ['..', '.htaccess']);
+  }
+}
--- a/tests/library/Class/FileManagerTest.php
+++ b/tests/library/Class/FileManagerTest.php
@@ -19,14 +19,27 @@
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
 */

-class FileManagerTest extends ModelTestCase {
+abstract class FileManagerTestCase extends ModelTestCase {
  protected
-    $_filemanager,
-    $_admin;
+    $_storm_default_to_volatile = true,
+    $_filemanager;

  public function setUp() {
    parent::setUp();
+
    $this->_filemanager = new Class_FileManager();
+  }
+}
+
+
+
+class FileManagerAuthTest extends FileManagerTestCase {
+  protected
+    $_admin, $_guest;
+
+  public function setUp() {
+    parent::setUp();
+
    $this->_admin = $this->fixture('Class_Users',
                                   ['id' => 2,
                                    'login' => 'admin',
@@ -65,12 +78,11 @@ class FileManagerTest extends ModelTestCase {



-class FileManagerAsAdminTest extends ModelTestCase {
-  protected $_filemanager;
+class FileManagerAuthAsAdminTest extends FileManagerTestCase {
+  protected $_admin;

  public function setUp() {
    parent::setUp();
-    $this->_filemanager = new Class_FileManager();

    $this->_admin = $this->fixture('Class_Users',
                                   ['id' => 2,
@@ -100,6 +112,10 @@ class FileManagerAsAdminTest extends ModelTestCase {
  public function filenameContainingTwoDotsShouldBeAuthorized() {
    $this->assertTrue($this->_filemanager->isAuthorized(USERFILESURL . '/Spectacle_14_nov..pdf'));
  }
-}

-?>
\ No newline at end of file
+
+  /** @test */
+  public function dotHtaccessShouldNotBeDownloadable() {
+    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/.htaccess'));
+  }
+}
\ No newline at end of file