hotline #67693 : directory traversal is forbidden

library/Class/FileManager.php

@@ -35,6 +35,18 @@ class Class_FileManager {
 
 
   protected function _isForbidden($part) {
-    return in_array($part, ['..', '.htaccess']);
+    return $this->_isHtaccess($part) || $this->_isDotsOnly($part);
+  }
+
+
+  protected function _isHtaccess($part) {
+    return '.htaccess' == trim($part);
+  }
+
+
+  protected function _isDotsOnly($part) {
+    return $part
+      ? '' == trim(str_replace('.', '', $part))
+      : false;
   }
 }

tests/library/Class/FileManagerTest.php

@@ -46,15 +46,14 @@ class FileManagerAuthTest extends FileManagerTestCase {
                                     'password' => 'admin']);
     $this->_admin->beModoBib()->save();
 
-
     $this->_guest = $this->fixture('Class_Users',
                                    ['id' => 3,
                                     'login' => 'guest',
                                     'password' => 'guest']);
     $this->_guest->beInvite()->save();
-
   }
 
+
   /** @test */
   public function withoutAuthenticationUserfilesShouldNotBeAuthorized() {
     $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . 'images/bokeh.png'));
@@ -105,6 +104,12 @@ class FileManagerAuthAsAdminTest extends FileManagerTestCase {
   }
 
 
+  /** @test */
+  public function megaUpperDirectoryShouldNotBeAuthorized() {
+    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '....//'));
+  }
+
+
   /**
    * @test
    * @see http://forge.afi-sa.fr/issues/32417
@@ -115,7 +120,7 @@ class FileManagerAuthAsAdminTest extends FileManagerTestCase {
 
 
   /** @test */
-  public function dotHtaccessShouldNotBeDownloadable() {
+  public function dotHtaccessShouldNotBeAuthorized() {
     $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/.htaccess'));
   }
 }
\ No newline at end of file