Attempt to fix directory traversal

Jeroen van Meeuwen · Jeroen van Meeuwen · commit 428e5d19a32c · 2021-01-11T17:17:21.000+01:00
diff --git a/config/swoole_http.php b/config/swoole_http.php
@@ -12,7 +12,7 @@
     'server' => [
         'host' => env('SWOOLE_HTTP_HOST', '127.0.0.1'),
         'port' => env('SWOOLE_HTTP_PORT', '1215'),
-        'public_path' => base_path('public'),
+        'document_root' => base_path('public'),
         // Determine if to use swoole to respond request for static files
         'handle_static_files' => env('SWOOLE_HANDLE_STATIC', true),
         'access_log' => env('SWOOLE_HTTP_ACCESS_LOG', false),
diff --git a/src/Server/Manager.php b/src/Server/Manager.php
@@ -205,11 +205,11 @@ public function onRequest($swooleRequest, $swooleResponse)
         $this->resetOnRequest();
         $sandbox = $this->app->make(Sandbox::class);
         $handleStatic = $this->container->make('config')->get('swoole_http.server.handle_static_files', true);
-        $publicPath = $this->container->make('config')->get('swoole_http.server.public_path', base_path('public'));
+        $documentRoot = $this->container->make('config')->get('swoole_http.server.document_root', base_path('public'));
 
         try {
             // handle static file request first
-            if ($handleStatic && Request::handleStatic($swooleRequest, $swooleResponse, $publicPath)) {
+            if ($handleStatic && Request::handleStatic($swooleRequest, $swooleResponse, $documentRoot)) {
                 return;
             }
             // transform swoole request to illuminate request
diff --git a/src/Transformers/Request.php b/src/Transformers/Request.php
@@ -175,20 +175,28 @@ protected static function transformServerParameters(array $server, array $header
      *
      * @param \Swoole\Http\Request $swooleRequest
      * @param \Swoole\Http\Response $swooleResponse
-     * @param string $publicPath
+     * @param string $documentRoot
      *
      * @return boolean
      */
-    public static function handleStatic($swooleRequest, $swooleResponse, string $publicPath)
+    public static function handleStatic($swooleRequest, $swooleResponse, string $documentRoot)
     {
         $uri = $swooleRequest->server['request_uri'] ?? '';
         $extension = strtok(pathinfo($uri, PATHINFO_EXTENSION), '?');
-        $fileName = $publicPath . $uri;
+        $fileName = @realpath($documentRoot . $uri);
+
+        if (!$fileName) {
+            return false;
+        }
 
         if ($extension && in_array($extension, static::EXTENSION_BLACKLIST)) {
             return false;
         }
 
+        if (substr($fileName, 0, strlen($documentRoot)) != $documentRoot) {
+            return false;
+        }
+
         if (! is_file($fileName) || ! filesize($fileName)) {
             return false;
         }
diff --git a/tests/Server/ManagerTest.php b/tests/Server/ManagerTest.php
@@ -61,7 +61,7 @@ class ManagerTest extends TestCase
         'swoole_http.tables' => [],
         'swoole_http.providers' => [],
         'swoole_http.resetters' => [],
-        'swoole_http.server.public_path' => '/',
+        'swoole_http.server.document_root' => '/',
     ];
 
     public function testGetFramework()
