Merge branch 'swoole-serve-files-from-symlink'

Author: taylorotwell

src/Swoole/SwooleClient.php

@@ -56,19 +56,62 @@ public function canServeRequestAsStaticFile(Request $request, RequestContext $co
 
         $publicPath = $context->publicPath;
 
+        $pathToFile = realpath($publicPath.'/'.$request->path());
+
+        if ($this->isValidFileWithinSymlink($request, $publicPath, $pathToFile)) {
+            $pathToFile = $publicPath.'/'.$request->path();
+        }
+
         return $this->fileIsServable(
             $publicPath,
-            realpath($publicPath.'/'.$request->path()),
+            $pathToFile,
         );
     }
 
     /**
-     * Determine if the given file is servable.
+     * Determine if the request is for a valid static file within a symlink.
      *
+     * @param  \Illuminate\Http\Request  $request
      * @param  string  $publicPath
      * @param  string  $pathToFile
      * @return bool
      */
+    private function isValidFileWithinSymlink(Request $request, string $publicPath, string $pathToFile): bool
+    {
+        $pathAfterSymlink = $this->pathAfterSymlink($publicPath, $request->path());
+
+        return $pathAfterSymlink && str_ends_with($pathToFile, $pathAfterSymlink);
+    }
+
+    /**
+     * If the given public file is within a symlinked directory, return the path after the symlink.
+     *
+     * @param  string  $publicPath
+     * @param  string  $path
+     * @return string|bool
+     */
+    private function pathAfterSymlink(string $publicPath, string $path)
+    {
+        $directories = explode('/', $path);
+
+        while ($directory = array_shift($directories)) {
+            $publicPath .= '/'.$directory;
+
+            if (is_link($publicPath)) {
+                return implode('/', $directories);
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Determine if the given file is servable.
+     *
+     * @param  string $publicPath
+     * @param  string $pathToFile
+     * @return bool
+     */
     protected function fileIsServable(string $publicPath, string $pathToFile): bool
     {
         return $pathToFile &&

tests/SwooleClientTest.php

@@ -116,6 +116,34 @@ public function test_static_file_can_be_served()
         $client->serveStaticFile($request, $context);
     }
 
+    /** @test */
+    public function test_can_serve_static_files_through_symlink()
+    {
+        $client = new SwooleClient;
+
+        $request = Request::create('/symlink/foo.txt', 'GET');
+
+        $context = new RequestContext([
+            'publicPath' => __DIR__.'/public/files',
+        ]);
+
+        $this->assertTrue($client->canServeRequestAsStaticFile($request, $context));
+    }
+
+    /** @test */
+    public function test_cant_serve_static_files_through_symlink_using_directory_traversal()
+    {
+        $client = new SwooleClient;
+
+        $request = Request::create('/symlink/../files/bar.txt', 'GET');
+
+        $context = new RequestContext([
+            'publicPath' => __DIR__.'/public/files',
+        ]);
+
+        $this->assertFalse($client->canServeRequestAsStaticFile($request, $context));
+    }
+
     /** @doesNotPerformAssertions @test */
     public function test_respond_method_send_response_to_swoole()
     {

tests/public/files/symlink

@@ -0,0 +1 @@
+../symlinkedFolder

tests/public/symlinkedFolder/foo.txt

@@ -0,0 +1 @@
+foobar