/** * Verifies the input path against various exploits and throws exceptions if one is found. * * @param String $path Path to verify. * @param String $fileType File type to verify path against. Values: dir or file. */ public function verifyPath($path, $fileType = null) { // Verfiy that the path doesn't have any abnormalities if (preg_match('/\\\\|\\.\\.\\/|[\\x00-\\x19]/', $path)) { throw new MOXMAN_Exception("Specified path has invalid characters."); } $path = MOXMAN_Util_PathUtils::toUnixPath($path); if (preg_match('~IIS/(\\d+\\.\\d+)~', $_SERVER['SERVER_SOFTWARE'], $matches)) { $version = floatval($matches[1]); if ($version < 7) { if (strpos($path, ';') !== false) { if ($this->getConfig()->get("filesystem.local.warn_semicolon", true)) { throw new MOXMAN_Exception("IIS 6 doesn't support semicolon in paths for security reasons.", MOXMAN_Exception::INVALID_FILE_NAME); } } if (preg_match('/\\.[^\\/]+\\//', $path) || $fileType == "dir" && strpos($path, '.') !== false) { if ($this->getConfig()->get("filesystem.local.warn_dot_dirs", true)) { throw new MOXMAN_Exception("IIS 6 don't support dots in directory names for security reasons.", MOXMAN_Exception::INVALID_FILE_NAME); } } } } else { if (preg_match('/.(php|inc|php\\d+|phtml|php[st])\\.[^\\/]+/', $path)) { if ($this->getConfig()->get("filesystem.local.warn_double_exts", true)) { throw new MOXMAN_Exception("Double extensions is not allowed for security reasons.", MOXMAN_Exception::INVALID_FILE_NAME); } } } }
/** * Sanitize a child path * * @param String $path String to check against. * @return String Sanitized path according to rules. */ public static function childPath($path) { $path = MOXMAN_Util_PathUtils::toUnixPath($path); $path = preg_replace('/[\\x00-\\x19?"|><];|:/', '', $path); $pathExp = explode("/", $path); $pathOut = array(); foreach ($pathExp as $exp) { $exp = trim($exp); if ($exp != "." && $exp != "..") { $pathOut[] = $exp; } } $path = implode("/", $pathOut); $path = preg_replace("/\\/+/", '/', $path); return $path; }