/**
* Verifies the input path against various exploits and throws exceptions if one is found.
*
* @param String $path Path to verify.
* @param String $fileType File type to verify path against. Values: dir or file.
*/
public function verifyPath($path, $fileType = null)
{
// Verfiy that the path doesn't have any abnormalities
if (preg_match('/\\\\|\\.\\.\\/|[\\x00-\\x19]/', $path)) {
throw new MOXMAN_Exception("Specified path has invalid characters.");
}
$path = MOXMAN_Util_PathUtils::toUnixPath($path);
if (preg_match('~IIS/(\\d+\\.\\d+)~', $_SERVER['SERVER_SOFTWARE'], $matches)) {
$version = floatval($matches[1]);
if ($version < 7) {
if (strpos($path, ';') !== false) {
if ($this->getConfig()->get("filesystem.local.warn_semicolon", true)) {
throw new MOXMAN_Exception("IIS 6 doesn't support semicolon in paths for security reasons.", MOXMAN_Exception::INVALID_FILE_NAME);
}
}
if (preg_match('/\\.[^\\/]+\\//', $path) || $fileType == "dir" && strpos($path, '.') !== false) {
if ($this->getConfig()->get("filesystem.local.warn_dot_dirs", true)) {
throw new MOXMAN_Exception("IIS 6 don't support dots in directory names for security reasons.", MOXMAN_Exception::INVALID_FILE_NAME);
}
}
}
} else {
if (preg_match('/.(php|inc|php\\d+|phtml|php[st])\\.[^\\/]+/', $path)) {
if ($this->getConfig()->get("filesystem.local.warn_double_exts", true)) {
throw new MOXMAN_Exception("Double extensions is not allowed for security reasons.", MOXMAN_Exception::INVALID_FILE_NAME);
}
}
}
}
/**
* Sanitize a child path
*
* @param String $path String to check against.
* @return String Sanitized path according to rules.
*/
public static function childPath($path)
{
$path = MOXMAN_Util_PathUtils::toUnixPath($path);
$path = preg_replace('/[\\x00-\\x19?"|><];|:/', '', $path);
$pathExp = explode("/", $path);
$pathOut = array();
foreach ($pathExp as $exp) {
$exp = trim($exp);
if ($exp != "." && $exp != "..") {
$pathOut[] = $exp;
}
}
$path = implode("/", $pathOut);
$path = preg_replace("/\\/+/", '/', $path);
return $path;
}
