@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Forbid "." and ".." in slugs
Summary: Fixes T4614. These don't do anything bad or dangerous, but generate unusable pages.
Test Plan:
- Added and executed unit tests.
- Tried to create pages like `/../`, `/begin/../end/`, etc.
Reviewers: btrahan, chad
Reviewed By: chad
Subscribers: aran, epriestley
Maniphest Tasks: T4614
Differential Revision: https://secure.phabricator.com/D8535
+28
+18
src/infrastructure/util/PhabricatorSlug.php
+18
src/infrastructure/util/PhabricatorSlug.php
···
10
10
$slug = preg_replace('@_+@', '_', $slug);
11
11
$slug = trim($slug, '_');
12
12
13
+
// Specifically rewrite these slugs. It's OK to have a slug like "a..b",
14
+
// but not a slug which is only "..".
15
+
16
+
// NOTE: These are explicitly not pht()'d, because they should be stable
17
+
// across languages.
18
+
19
+
$replace = array(
20
+
'.' => 'dot',
21
+
'..' => 'dotdot',
22
+
);
23
+
24
+
foreach ($replace as $pattern => $replacement) {
25
+
$pattern = preg_quote($pattern, '@');
26
+
$slug = preg_replace(
27
+
'@(^|/)'.$pattern.'(\z|/)@',
28
+
'\1'.$replacement.'\2', $slug);
29
+
}
30
+
13
31
return $slug.'/';
14
32
}
15
33
+10
src/infrastructure/util/__tests__/PhabricatorSlugTestCase.php
+10
src/infrastructure/util/__tests__/PhabricatorSlugTestCase.php
···
17
17
"T\x00O\x00D\x00O" => "t_o_d_o/",
18
18
'x#%&+=\\?<> y' => 'x_y/',
19
19
"\xE2\x98\x83" => "\xE2\x98\x83/",
20
+
'..' => 'dotdot/',
21
+
'../' => 'dotdot/',
22
+
'/../' => 'dotdot/',
23
+
'a/b' => 'a/b/',
24
+
'a//b' => 'a/b/',
25
+
'a/../b/' => 'a/dotdot/b/',
26
+
'/../a' => 'dotdot/a/',
27
+
'../a' => 'dotdot/a/',
28
+
'a/..' => 'a/dotdot/',
29
+
'a/../' => 'a/dotdot/',
20
30
);
21
31
22
32
foreach ($slugs as $slug => $normal) {