Disallow viewing dot-files in Profiler

curry684 · curry684 · commit 6a2f518e74da · 2017-12-04T14:14:51.000+01:00
The file viewer in the profiler should not open files that were meant
to be hidden, like specifically .env files, but similarly files like
.htaccess that might expose server configuration knowledge.
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php b/src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php
@@ -385,7 +385,7 @@ public function openAction(Request $request)
 
         $filename = $this->baseDir.DIRECTORY_SEPARATOR.$file;
 
-        if (preg_match("'(^|[/\\\\])\.\.?([/\\\\]|$)'", $file) || !is_readable($filename)) {
+        if (preg_match("'(^|[/\\\\])\.'", $file) || !is_readable($filename)) {
             throw new NotFoundHttpException(sprintf('The file "%s" cannot be opened.', $file));
         }
 
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/Controller/ProfilerControllerTest.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/Controller/ProfilerControllerTest.php
@@ -14,6 +14,7 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Bundle\WebProfilerBundle\Controller\ProfilerController;
 use Symfony\Bundle\WebProfilerBundle\Csp\ContentSecurityPolicyHandler;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\HttpKernel\Profiler\Profile;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -46,6 +47,42 @@ public function getEmptyTokenCases()
         );
     }
 
+    /**
+     * @dataProvider getOpenFileCases
+     */
+    public function testOpeningDisallowedPaths($path, $isAllowed)
+    {
+        $urlGenerator = $this->getMockBuilder('Symfony\Component\Routing\Generator\UrlGeneratorInterface')->getMock();
+        $twig = $this->getMockBuilder('Twig\Environment')->disableOriginalConstructor()->getMock();
+        $profiler = $this
+            ->getMockBuilder('Symfony\Component\HttpKernel\Profiler\Profiler')
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $controller = new ProfilerController($urlGenerator, $profiler, $twig, array(), 'bottom', null, __DIR__.'/../..');
+
+        try {
+            $response = $controller->openAction(Request::create('/_wdt/open', Request::METHOD_GET, array('file' => $path)));
+            $this->assertEquals(200, $response->getStatusCode());
+            $this->assertTrue($isAllowed);
+        } catch (NotFoundHttpException $e) {
+            $this->assertFalse($isAllowed);
+        }
+    }
+
+    public function getOpenFileCases()
+    {
+        return array(
+            array('README.md', true),
+            array('composer.json', true),
+            array('Controller/ProfilerController.php', true),
+            array('.gitignore', false),
+            array('../TwigBundle/README.md', false),
+            array('Controller/../README.md', false),
+            array('Controller/./ProfilerController.php', false),
+        );
+    }
+
     /**
      * @dataProvider provideCspVariants
      */

Original file line number	Diff line number	Diff line change
`@@ -385,7 +385,7 @@ public function openAction(Request $request)`
`385`	`385`
`386`	`386`	`$filename = $this->baseDir.DIRECTORY_SEPARATOR.$file;`
`387`	`387`
`388`		`- if (preg_match("'(^\|[/\\\\])\.\.?([/\\\\]\|$)'", $file) \|\| !is_readable($filename)) {`
	`388`	`+ if (preg_match("'(^\|[/\\\\])\.'", $file) \|\| !is_readable($filename)) {`
`389`	`389`	`throw new NotFoundHttpException(sprintf('The file "%s" cannot be opened.', $file));`
`390`	`390`	`}`
`391`	`391`