Merge pull request #6565 from open-sausages/pulls/4.0/safe-root

BUG Ensure root path of any local adapter is safely created and mapped from symlink
This commit is contained in:
Daniel Hensby 2017-01-25 11:12:37 +00:00 committed by GitHub
commit b4fc46d63e
2 changed files with 22 additions and 14 deletions

View File

@ -5,6 +5,7 @@ namespace SilverStripe\Assets\Flysystem;
use League\Flysystem\Adapter\Local;
use League\Flysystem\Config as FlysystemConfig;
use SilverStripe\Assets\File;
use SilverStripe\Assets\Filesystem;
use SilverStripe\Core\Config\Config;
use SilverStripe\ORM\ArrayList;
use SilverStripe\View\ArrayData;
@ -43,8 +44,10 @@ class AssetAdapter extends Local
public function __construct($root = null, $writeFlags = LOCK_EX, $linkHandling = self::DISALLOW_LINKS)
{
// Get root path
// Get root path, and ensure that this exists and is safe
$root = $this->findRoot($root);
Filesystem::makeFolder($root);
$root = realpath($root);
// Override permissions with config
$permissions = Config::inst()->get(get_class($this), 'file_permissions');

View File

@ -7,6 +7,13 @@ use SilverStripe\Control\Director;
class PublicAssetAdapter extends AssetAdapter implements PublicAdapter
{
/**
* Prefix between the root url and base of the assets folder
* Used for generating public urls
*
* @var string
*/
protected $parentUrlPrefix = null;
/**
* Server specific configuration necessary to block http traffic to a local folder
@ -26,11 +33,18 @@ class PublicAssetAdapter extends AssetAdapter implements PublicAdapter
protected function findRoot($root)
{
if ($root) {
return parent::findRoot($root);
$path = parent::findRoot($root);
} else {
$path = ASSETS_PATH;
}
// Empty root will set the path to assets
return ASSETS_PATH;
// Detect segment between root directory and assets root
if (stripos($path, BASE_PATH) === 0) {
$this->parentUrlPrefix = substr($path, strlen(BASE_PATH));
} else {
$this->parentUrlPrefix = ASSETS_DIR;
}
return $path;
}
/**
@ -41,15 +55,6 @@ class PublicAssetAdapter extends AssetAdapter implements PublicAdapter
*/
public function getPublicUrl($path)
{
$rootPath = realpath(BASE_PATH);
$filesPath = realpath($this->pathPrefix);
if (stripos($filesPath, $rootPath) === 0) {
$dir = substr($filesPath, strlen($rootPath));
return Controller::join_links(Director::baseURL(), $dir, $path);
}
// File outside of webroot can't be used
return null;
return Controller::join_links(Director::baseURL(), $this->parentUrlPrefix, $path);
}
}