Skip to content

Commit

Permalink
Safe real path resolving added to `yii\console\controllers\AssetContr…
Browse files Browse the repository at this point in the history
…oller::combineCssFiles()`
  • Loading branch information
klimov-paul committed Nov 11, 2014
1 parent 112ad80 commit 63e434b
Show file tree
Hide file tree
Showing 2 changed files with 71 additions and 1 deletion.
25 changes: 24 additions & 1 deletion framework/console/controllers/AssetController.php
Original file line number Diff line number Diff line change
Expand Up @@ -512,9 +512,10 @@ public function combineJsFiles($inputFiles, $outputFile)
public function combineCssFiles($inputFiles, $outputFile)
{
$content = '';
$outputFilePath = dirname($this->findRealPath($outputFile));
foreach ($inputFiles as $file) {
$content .= "/*** BEGIN FILE: $file ***/\n"
. $this->adjustCssUrl(file_get_contents($file), dirname($file), dirname($outputFile))
. $this->adjustCssUrl(file_get_contents($file), dirname($this->findRealPath($file)), $outputFilePath)
. "/*** END FILE: $file ***/\n";
}
if (!file_put_contents($outputFile, $content)) {
Expand Down Expand Up @@ -658,4 +659,26 @@ public function actionTemplate($configFile)
echo "Configuration file template created at '{$configFile}'.\n\n";
}
}

/**
* Returns canonicalized absolute pathname.
* Unlike regular `realpath()` this method does not expand symlinks and does not check path existence.
* @param string $path raw path
* @return string canonicalized absolute pathname
*/
private function findRealPath($path)
{
$path = str_replace(['/', '\\'], DIRECTORY_SEPARATOR, $path);
$pathParts = explode(DIRECTORY_SEPARATOR, $path);

$realPathParts = [];
foreach ($pathParts as $pathPart) {
if ($pathPart === '..') {
array_pop($realPathParts);
} else {
array_push($realPathParts, $pathPart);
}
}
return implode(DIRECTORY_SEPARATOR, $realPathParts);
}
}
47 changes: 47 additions & 0 deletions tests/unit/framework/console/controllers/AssetControllerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -409,4 +409,51 @@ public function testAdjustCssUrl($cssContent, $inputFilePath, $outputFilePath, $

$this->assertEquals($expectedCssContent, $adjustedCssContent, 'Unable to adjust CSS correctly!');
}

/**
* Data provider for [[testFindRealPath()]]
* @return array test data
*/
public function findRealPathDataProvider()
{
return [
[
'/linux/absolute/path',
'/linux/absolute/path',
],
[
'/linux/up/../path',
'/linux/path',
],
[
'/linux/twice/up/../../path',
'/linux/path',
],
[
'/linux/../mix/up/../path',
'/mix/path',
],
[
'C:\\windows\\absolute\\path',
'C:\\windows\\absolute\\path',
],
[
'C:\\windows\\up\\..\\path',
'C:\\windows\\path',
],
];
}

/**
* @dataProvider findRealPathDataProvider
*
* @param string $sourcePath
* @param string $expectedRealPath
*/
public function testFindRealPath($sourcePath, $expectedRealPath)
{
$expectedRealPath = str_replace(['/', '\\'], DIRECTORY_SEPARATOR, $expectedRealPath);
$realPath = $this->invokeAssetControllerMethod('findRealPath', [$sourcePath]);
$this->assertEquals($expectedRealPath, $realPath);
}
}

0 comments on commit 63e434b

Please sign in to comment.