loafle/openapi-generator
3
0
Fork 0
forked from loafle/openapi-generator-original
Code Pull Requests Activity

Merge pull request #1865 from wing328/php_fix_file_security

Browse Source 
[PHP] better filename handling in ObjectSerializer
This commit is contained in:
wing328 2016-01-12 11:28:59 +08:00
commit d35d97d145
4 changed files with 314 additions and 252 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/swagger-codegen/src/main/resources/php/ObjectSerializer.mustache
View File

@ -79,6 +79,23 @@ class ObjectSerializer
return $sanitized; return $sanitized;
} }
/**
* Sanitize filename by removing path.
* e.g. ../../sun.gif becomes sun.gif
*
* @param string $filename filename to be sanitized
*
* @return string the sanitized filename
*/
public function sanitizeFilename($filename)
{
if (preg_match("/.*[\/\\\\](.*)$/", $filename, $match)) {
return $match[1];
} else {
return $filename;
}
}
/** /**
* Take value and turn it into a string suitable for inclusion in * Take value and turn it into a string suitable for inclusion in
* the path, by url-encoding. * the path, by url-encoding.
@ -232,7 +249,7 @@ class ObjectSerializer
} elseif ($class === '\SplFileObject') { } elseif ($class === '\SplFileObject') {
// determine file name // determine file name
if (array_key_exists('Content-Disposition', $httpHeaders) && preg_match('/inline; filename=[\'"]?([^\'"\s]+)[\'"]?$/i', $httpHeaders['Content-Disposition'], $match)) { if (array_key_exists('Content-Disposition', $httpHeaders) && preg_match('/inline; filename=[\'"]?([^\'"\s]+)[\'"]?$/i', $httpHeaders['Content-Disposition'], $match)) {
$filename = Configuration::getDefaultConfiguration()->getTempFolderPath().$match[1]; $filename = Configuration::getDefaultConfiguration()->getTempFolderPath() . sanitizeFilename($match[1]);
} else { } else {
$filename = tempnam(Configuration::getDefaultConfiguration()->getTempFolderPath(), ''); $filename = tempnam(Configuration::getDefaultConfiguration()->getTempFolderPath(), '');
} }

19
samples/client/petstore/php/SwaggerClient-php/lib/ObjectSerializer.php
View File

@ -79,6 +79,23 @@ class ObjectSerializer
return $sanitized; return $sanitized;
} }
/**
* Sanitize filename by removing path.
* e.g. ../../sun.gif becomes sun.gif
*
* @param string $filename filename to be sanitized
*
* @return string the sanitized filename
*/
public function sanitizeFilename($filename)
{
if (preg_match("/.*[\/\\\\](.*)$/", $filename, $match)) {
return $match[1];
} else {
return $filename;
}
}
/** /**
* Take value and turn it into a string suitable for inclusion in * Take value and turn it into a string suitable for inclusion in
* the path, by url-encoding. * the path, by url-encoding.
@ -232,7 +249,7 @@ class ObjectSerializer
} elseif ($class === '\SplFileObject') { } elseif ($class === '\SplFileObject') {
// determine file name // determine file name
if (array_key_exists('Content-Disposition', $httpHeaders) && preg_match('/inline; filename=[\'"]?([^\'"\s]+)[\'"]?$/i', $httpHeaders['Content-Disposition'], $match)) { if (array_key_exists('Content-Disposition', $httpHeaders) && preg_match('/inline; filename=[\'"]?([^\'"\s]+)[\'"]?$/i', $httpHeaders['Content-Disposition'], $match)) {
$filename = Configuration::getDefaultConfiguration()->getTempFolderPath().$match[1]; $filename = Configuration::getDefaultConfiguration()->getTempFolderPath() . sanitizeFilename($match[1]);
} else { } else {
$filename = tempnam(Configuration::getDefaultConfiguration()->getTempFolderPath(), ''); $filename = tempnam(Configuration::getDefaultConfiguration()->getTempFolderPath(), '');
} }

29
samples/client/petstore/php/SwaggerClient-php/tests/ObjectSerializerTest.php Normal file
View File

@ -0,0 +1,29 @@
<?php
require_once('autoload.php');
// test object serializer
class ObjectSerializerTest extends \PHPUnit_Framework_TestCase
{
// test sanitizeFilename
public function testSanitizeFilename()
{
// initialize the API client
$s = new Swagger\Client\ObjectSerializer();
$this->assertSame("sun.gif", $s->sanitizeFilename("sun.gif"));
$this->assertSame("sun.gif", $s->sanitizeFilename("../sun.gif"));
$this->assertSame("sun.gif", $s->sanitizeFilename("/var/tmp/sun.gif"));
$this->assertSame("sun.gif", $s->sanitizeFilename("./sun.gif"));
$this->assertSame("sun", $s->sanitizeFilename("sun"));
$this->assertSame("sun.gif", $s->sanitizeFilename("..\sun.gif"));
$this->assertSame("sun.gif", $s->sanitizeFilename("\var\tmp\sun.gif"));
$this->assertSame("sun.gif", $s->sanitizeFilename("c:\var\tmp\sun.gif"));
$this->assertSame("sun.gif", $s->sanitizeFilename(".\sun.gif"));
}
}
?>

1
samples/client/petstore/php/SwaggerClient-php/tests/PetApiTest.php
View File

@ -253,7 +253,6 @@ class PetApiTest extends \PHPUnit_Framework_TestCase
$this->assertInternalType("int", $get_response['sold']); $this->assertInternalType("int", $get_response['sold']);
$this->assertInternalType("int", $get_response['pending']); $this->assertInternalType("int", $get_response['pending']);
} }
} }