/** * @dataProvider isBasePathDataProvider */ public function testIsBasePath($basepath, $path, $assert) { if ($assert) { $this->assertTrue(FileUtil::isBasePath($path, $basepath)); } else { $this->assertFalse(FileUtil::isBasePath($path, $basepath)); } }
/** * {@inheritdoc} */ public function handle(Request $request, $type = self::MASTER_REQUEST, $catch = true) { $uri = $request->getRequestUri(); // never ever try to deal with null-bytes if (UrlUtil::containsNullBytes($uri)) { $this->logger->notice('null-byte found!', ['uri' => $uri]); return $this->handleNotFound($request); } // strip query string $path = UrlUtil::getPathFromUri($uri); // skip defined file exts if (FileUtil::matchExt(rtrim($path, '/'), $this->excludeExt)) { $this->logger->debug('file extension is excluded!', ['uri' => $uri, 'exclude' => $this->excludeExt]); return $this->handleNotFound($request); } // skip dotfiles if (FileUtil::containsDotfile($path)) { $this->logger->debug('wont handle dotfiles!', ['uri' => $uri]); return $this->handleNotFound($request); } // check path for possible traversal attacks if (UrlUtil::isPossiblePathTraversalAttack($path)) { $this->logger->notice('possible traversal attack!', ['uri' => $uri]); return $this->handleNotFound($request); } // build full path $fullpath = $this->webroot . $path; // check whether the file exists or not if (is_file($fullpath) && is_readable($fullpath)) { $contentType = FileUtil::guessMimeType($fullpath); $response = new Response(file_get_contents($fullpath), Response::HTTP_OK, ['Content-type' => $contentType]); $this->logger->debug('delivering file', ['uri' => $uri, 'fullpath' => $fullpath, 'mime' => $contentType]); return $response; } return $this->handleNotFound($request); }