From 337f18205794c686242c9de79db1fd19ee5f2d44 Mon Sep 17 00:00:00 2001 From: Alex Pott Date: Fri, 19 Jun 2015 16:49:04 -0500 Subject: [PATCH] Issue #2508654 by chx, dawehner, Chi: File inclusion in transliteration service --- .../Transliteration/PhpTransliteration.php | 2 +- .../TransliterationInterface.php | 2 +- .../PhpTransliterationTest.php | 23 ++++++++++++++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/core/lib/Drupal/Component/Transliteration/PhpTransliteration.php b/core/lib/Drupal/Component/Transliteration/PhpTransliteration.php index 8e85eb34364..01e98057699 100644 --- a/core/lib/Drupal/Component/Transliteration/PhpTransliteration.php +++ b/core/lib/Drupal/Component/Transliteration/PhpTransliteration.php @@ -243,7 +243,7 @@ class PhpTransliteration implements TransliterationInterface { protected function readLanguageOverrides($langcode) { // Figure out the file name to use by sanitizing the language code, // just in case. - $file = $this->dataDirectory . '/' . preg_replace('[^a-zA-Z\-]', '', $langcode) . '.php'; + $file = $this->dataDirectory . '/' . preg_replace('/[^a-zA-Z\-]/', '', $langcode) . '.php'; // Read in this file, which should set up a variable called $overrides, // which will be local to this function. diff --git a/core/lib/Drupal/Component/Transliteration/TransliterationInterface.php b/core/lib/Drupal/Component/Transliteration/TransliterationInterface.php index 4d088efffe1..60ac07bf593 100644 --- a/core/lib/Drupal/Component/Transliteration/TransliterationInterface.php +++ b/core/lib/Drupal/Component/Transliteration/TransliterationInterface.php @@ -37,7 +37,7 @@ interface TransliterationInterface { * The string to transliterate. * @param string $langcode * (optional) The language code of the language the string is in. Defaults - * to 'en' if not provided. + * to 'en' if not provided. Warning: this can be unfiltered user input. * @param string $unknown_character * (optional) The character to substitute for characters in $string without * transliterated equivalents. Defaults to '?'. diff --git a/core/tests/Drupal/Tests/Component/Transliteration/PhpTransliterationTest.php b/core/tests/Drupal/Tests/Component/Transliteration/PhpTransliterationTest.php index f01ee0521c1..de7f4289206 100644 --- a/core/tests/Drupal/Tests/Component/Transliteration/PhpTransliterationTest.php +++ b/core/tests/Drupal/Tests/Component/Transliteration/PhpTransliterationTest.php @@ -10,13 +10,14 @@ namespace Drupal\Tests\Component\Transliteration; use Drupal\Component\Transliteration\PhpTransliteration; use Drupal\Component\Utility\Random; use Drupal\Tests\UnitTestCase; +use org\bovigo\vfs\vfsStream; /** * Tests Transliteration component functionality. * * @group Transliteration * - * @coversClass \Drupal\Component\Transliteration\PhpTransliteration + * @coversDefaultClass \Drupal\Component\Transliteration\PhpTransliteration */ class PhpTransliterationTest extends UnitTestCase { @@ -168,4 +169,24 @@ class PhpTransliterationTest extends UnitTestCase { $this->assertSame($trunc_output, $transliteration->transliterate($input, 'de', '?', 18), 'Truncating to 18 characters works'); } + /** + * Tests inclusion is safe. + * + * @covers ::readLanguageOverrides + */ + public function testSafeInclude() { + // The overrides in the transliteration data directory transliterates 0x82 + // into "safe" but the overrides one directory higher transliterates the + // same character into "security hole". So by using "../index" as the + // language code we can test the ../ is stripped from the langcode. + vfsStream::setup('transliteration', NULL, [ + 'index.php' => ' [0x82 => "security hole"]];', + 'dir' => [ + 'index.php' => ' [0x82 => "safe"]];', + ], + ]); + $transliteration = new PhpTransliteration(vfsStream::url('transliteration/dir')); + $transliterated = $transliteration->transliterate(chr(0xC2) . chr(0x82), '../index'); + $this->assertSame($transliterated, 'safe'); + } }