Reject funky whitspace paths.

thephpleague · Jun 23, 2021 · a3c694d · a3c694d
1 parent 27ba26d
commit a3c694d
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 10 deletions.
diff --git a/src/CorruptedPathDetected.php b/src/CorruptedPathDetected.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace League\Flysystem;
+
+use RuntimeException;
+
+final class CorruptedPathDetected extends RuntimeException implements FilesystemException
+{
+    public static function forPath(string $path): CorruptedPathDetected
+    {
+        return new CorruptedPathDetected("Corrupted path detected: " . $path);
+    }
+}
diff --git a/src/WhitespacePathNormalizer.php b/src/WhitespacePathNormalizer.php
@@ -9,21 +9,16 @@ class WhitespacePathNormalizer implements PathNormalizer
     public function normalizePath(string $path): string
     {
         $path = str_replace('\\', '/', $path);
-        $path = $this->removeFunkyWhiteSpace($path);
+        $this->rejectFunkyWhiteSpace($path);
 
         return $this->normalizeRelativePath($path);
     }
 
-    private function removeFunkyWhiteSpace(string $path): string
+    private function rejectFunkyWhiteSpace(string $path): void
     {
-        // Remove unprintable characters and invalid unicode characters.
-        // We do this check in a loop, since removing invalid unicode characters
-        // can lead to new characters being created.
-        while (preg_match('#\p{C}+|^\./#u', $path)) {
-            $path = (string) preg_replace('#\p{C}+|^\./#u', '', $path);
+        if (preg_match('#\p{C}+#u', $path)) {
+            throw CorruptedPathDetected::forPath($path);
         }
-
-        return $path;
     }
 
     private function normalizeRelativePath(string $path): string

diff --git a/src/WhitespacePathNormalizerTest.php b/src/WhitespacePathNormalizerTest.php
@@ -55,7 +55,6 @@ public function pathProvider(): array
             ['example/path/..txt', 'example/path/..txt'],
             ['\\example\\path.txt', 'example/path.txt'],
             ['\\example\\..\\path.txt', 'path.txt'],
-            ["some\0/path.txt", 'some/path.txt'],
         ];
     }
 
@@ -69,6 +68,21 @@ public function guarding_against_path_traversal(string $input): void
         $this->normalizer->normalizePath($input);
     }
 
+    /**
+     * @test
+     * @dataProvider dpFunkyWhitespacePaths
+     */
+    public function rejecting_funky_whitespace(string $path): void
+    {
+        self::expectException(CorruptedPathDetected::class);
+        $this->normalizer->normalizePath($path);
+    }
+
+    public function dpFunkyWhitespacePaths(): iterable
+    {
+        return [["some\0/path.txt"], ["s\x09i.php"]];
+    }
+
     /**
      * @return array<array<string>>
      */