diff --git a/library/Class/FileManager.php b/library/Class/FileManager.php
index 56f450fd5532c1cd80694012c9c1f65087d22981..86e39cbad7bff8254414eddb72f8f1e91ba9da78 100644
--- a/library/Class/FileManager.php
+++ b/library/Class/FileManager.php
@@ -35,6 +35,18 @@ class Class_FileManager {
protected function _isForbidden($part) {
- return in_array($part, ['..', '.htaccess']);
+ return $this->_isHtaccess($part) || $this->_isDotsOnly($part);
+ }
+
+
+ protected function _isHtaccess($part) {
+ return '.htaccess' == trim($part);
+ }
+
+
+ protected function _isDotsOnly($part) {
+ return $part
+ ? '' == trim(str_replace('.', '', $part))
+ : false;
}
}
diff --git a/tests/library/Class/FileManagerTest.php b/tests/library/Class/FileManagerTest.php
index 8a04970eec2e2120475595e87774fbd41547098a..a551d54de5bfc1ea7c8c541b76f3e649255518a8 100644
--- a/tests/library/Class/FileManagerTest.php
+++ b/tests/library/Class/FileManagerTest.php
@@ -46,15 +46,14 @@ class FileManagerAuthTest extends FileManagerTestCase {
'password' => 'admin']);
$this->_admin->beModoBib()->save();
-
$this->_guest = $this->fixture('Class_Users',
['id' => 3,
'login' => 'guest',
'password' => 'guest']);
$this->_guest->beInvite()->save();
-
}
+
/** @test */
public function withoutAuthenticationUserfilesShouldNotBeAuthorized() {
$this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . 'images/bokeh.png'));
@@ -105,6 +104,12 @@ class FileManagerAuthAsAdminTest extends FileManagerTestCase {
}
+ /** @test */
+ public function megaUpperDirectoryShouldNotBeAuthorized() {
+ $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '....//'));
+ }
+
+
/**
* @test
* @see http://forge.afi-sa.fr/issues/32417
@@ -115,7 +120,7 @@ class FileManagerAuthAsAdminTest extends FileManagerTestCase {
/** @test */
- public function dotHtaccessShouldNotBeDownloadable() {
+ public function dotHtaccessShouldNotBeAuthorized() {
$this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/.htaccess'));
}
}
\ No newline at end of file