/**
* @dataProvider isPossiblePathTraversalAttackDataProvider
*/
public function testIsPossiblePathTraversalAttack($uri, $assert)
{
if ($assert) {
$this->assertTrue(UrlUtil::isPossiblePathTraversalAttack($uri));
} else {
$this->assertFalse(UrlUtil::isPossiblePathTraversalAttack($uri));
}
}
/**
* {@inheritdoc}
*/
public function handle(Request $request, $type = self::MASTER_REQUEST, $catch = true)
{
$uri = $request->getRequestUri();
// never ever try to deal with null-bytes
if (UrlUtil::containsNullBytes($uri)) {
$this->logger->notice('null-byte found!', ['uri' => $uri]);
return $this->handleNotFound($request);
}
// strip query string
$path = UrlUtil::getPathFromUri($uri);
// skip defined file exts
if (FileUtil::matchExt(rtrim($path, '/'), $this->excludeExt)) {
$this->logger->debug('file extension is excluded!', ['uri' => $uri, 'exclude' => $this->excludeExt]);
return $this->handleNotFound($request);
}
// skip dotfiles
if (FileUtil::containsDotfile($path)) {
$this->logger->debug('wont handle dotfiles!', ['uri' => $uri]);
return $this->handleNotFound($request);
}
// check path for possible traversal attacks
if (UrlUtil::isPossiblePathTraversalAttack($path)) {
$this->logger->notice('possible traversal attack!', ['uri' => $uri]);
return $this->handleNotFound($request);
}
// build full path
$fullpath = $this->webroot . $path;
// check whether the file exists or not
if (is_file($fullpath) && is_readable($fullpath)) {
$contentType = FileUtil::guessMimeType($fullpath);
$response = new Response(file_get_contents($fullpath), Response::HTTP_OK, ['Content-type' => $contentType]);
$this->logger->debug('delivering file', ['uri' => $uri, 'fullpath' => $fullpath, 'mime' => $contentType]);
return $response;
}
return $this->handleNotFound($request);
}
