12 years ago · d4db64ff26
--- a/lib/Cake/Routing/Filter/AssetDispatcher.php
+++ b/lib/Cake/Routing/Filter/AssetDispatcher.php
@@ -42,7 +42,7 @@ class AssetDispatcher extends DispatcherFilter {
 
				  * @return CakeResponse if the client is requesting a recognized asset, null otherwise
			
 
				  */
			
 
				 	public function beforeDispatch(CakeEvent $event) {
			
 
				-		$url = $event->data['request']->url;
			
 
				+		$url = urldecode($event->data['request']->url);
			
 
				 		if (strpos($url, '..') !== false || strpos($url, '.') === false) {
			
 
				 			return;
			
 
				 		}
			
@@ -118,7 +118,7 @@ class AssetDispatcher extends DispatcherFilter {
 
				 		if ($parts[0] === 'theme') {
			
 
				 			$themeName = $parts[1];
			
 
				 			unset($parts[0], $parts[1]);
			
 
				-			$fileFragment = urldecode(implode(DS, $parts));
			
 
				+			$fileFragment = implode(DS, $parts);
			
 
				 			$path = App::themePath($themeName) . 'webroot' . DS;
			
 
				 			return $path . $fileFragment;
			
 
				 		}
			
@@ -126,7 +126,7 @@ class AssetDispatcher extends DispatcherFilter {
 
				 		$plugin = Inflector::camelize($parts[0]);
			
 
				 		if ($plugin && CakePlugin::loaded($plugin)) {
			
 
				 			unset($parts[0]);
			
 
				-			$fileFragment = urldecode(implode(DS, $parts));
			
 
				+			$fileFragment = implode(DS, $parts);
			
 
				 			$pluginWebroot = CakePlugin::path($plugin) . 'webroot' . DS;
			
 
				 			return $pluginWebroot . $fileFragment;
			
 
				 		}
			
--- a/lib/Cake/Test/Case/Routing/Filter/AssetDispatcherTest.php
+++ b/lib/Cake/Test/Case/Routing/Filter/AssetDispatcherTest.php
@@ -143,4 +143,48 @@ class AssetDispatcherTest extends CakeTestCase {
 
				 		$this->assertFalse($event->isStopped());
			
 
				 	}
			
 
				 
			
 
				+/**
			
 
				+ * Test that attempts to traverse directories are prevented.
			
 
				+ *
			
 
				+ * @return void
			
 
				+ */
			
 
				+	public function test404OnDoubleDot() {
			
 
				+		App::build(array(
			
 
				+			'Plugin' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'Plugin' . DS),
			
 
				+			'View' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'View' . DS)
			
 
				+		), APP::RESET);
			
 
				+
			
 
				+		$response = $this->getMock('CakeResponse', array('_sendHeader'));
			
 
				+		$request = new CakeRequest('theme/test_theme/../../../../../../VERSION.txt');
			
 
				+		$event = new CakeEvent('Dispatcher.beforeRequest', $this, compact('request', 'response'));
			
 
				+
			
 
				+		$response->expects($this->never())->method('send');
			
 
				+
			
 
				+		$filter = new AssetDispatcher();
			
 
				+		$this->assertNull($filter->beforeDispatch($event));
			
 
				+		$this->assertFalse($event->isStopped());
			
 
				+	}
			
 
				+
			
 
				+/**
			
 
				+ * Test that attempts to traverse directories with urlencoded paths fail.
			
 
				+ *
			
 
				+ * @return void
			
 
				+ */
			
 
				+	public function test404OnDoubleDotEncoded() {
			
 
				+		App::build(array(
			
 
				+			'Plugin' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'Plugin' . DS),
			
 
				+			'View' => array(CAKE . 'Test' . DS . 'test_app' . DS . 'View' . DS)
			
 
				+		), APP::RESET);
			
 
				+
			
 
				+		$response = $this->getMock('CakeResponse', array('_sendHeader', 'send'));
			
 
				+		$request = new CakeRequest('theme/test_theme/%2e./%2e./%2e./%2e./%2e./%2e./VERSION.txt');
			
 
				+		$event = new CakeEvent('Dispatcher.beforeRequest', $this, compact('request', 'response'));
			
 
				+
			
 
				+		$response->expects($this->never())->method('send');
			
 
				+
			
 
				+		$filter = new AssetDispatcher();
			
 
				+		$this->assertNull($filter->beforeDispatch($event));
			
 
				+		$this->assertFalse($event->isStopped());
			
 
				+	}
			
 
				+
			
 
				 }