Hi, I found that this morning when i try to serve a file with a space in his filename. The class photon\view\AssetDir don't use the method 'urldecode' before the evaluation of the file requested. So we can try to access to filename like 'img/fig%20a.png' on the disk instead of 'img/fig a.png' The issue touch both serve and serveFromPhar methods. William
Hello, > The class photon\view\AssetDir don't use the method 'urldecode' before > the evaluation of the file requested. > So we can try to access to filename like 'img/fig%20a.png' on the disk > instead of 'img/fig a.png' > > The issue touch both serve and serveFromPhar methods. Do you have a quick patch? loïc
http://code.power-lan.com/p/photon/source/tree/fix.AssetViewFilenameEncoding/ William On Thu, Sep 15, 2011 at 3:22 PM, Loic d'Anterroches <loic@ceondo.com> wrote: > Hello, > > > The class photon\view\AssetDir don't use the method 'urldecode' before > > the evaluation of the file requested. > > So we can try to access to filename like 'img/fig%20a.png' on the disk > > instead of 'img/fig a.png' > > > > The issue touch both serve and serveFromPhar methods. > > Do you have a quick patch? > > loïc > -- --------------------------------------------------------- William MARTIN wysman @NoSpAm@ gmail @DoT@ com
On 2011-09-15 17:43, William MARTIN wrote: > http://code.power-lan.com/p/photon/source/tree/fix.AssetViewFilenameEncoding/ Ok, but this will not work for the phar archive as the anyway, the space is not allowed by the phar filtering regex. Allowing a lot of different characters in the path is a can of worms. So before "allowing" I will dig further to find something which will not allow an attacker to forge a request to get for example a source file. loïc > On Thu, Sep 15, 2011 at 3:22 PM, Loic d'Anterroches <loic@ceondo.com> wrote: > >> Hello, >> >>> The class photon\view\AssetDir don't use the method 'urldecode' before >>> the evaluation of the file requested. >>> So we can try to access to filename like 'img/fig%20a.png' on the disk >>> instead of 'img/fig a.png' >>> >>> The issue touch both serve and serveFromPhar methods. >> >> Do you have a quick patch? >> >> loïc >> > > >
Thanks loic, About asset from a phar, All files in the phar are compressed with GZ, and most of web viewer accept answer compressed in GZ. It's can be checked in the HTTP headers. Actually, the file is uncompressed (use more CPU) and send uncompressed (use more bandwise). Did they have a way to extract the file from the phar without uncompress it ? William On Tue, Sep 20, 2011 at 9:35 AM, Loic d'Anterroches <loic@ceondo.com> wrote: > > > On 2011-09-15 17:43, William MARTIN wrote: > > > http://code.power-lan.com/p/photon/source/tree/fix.AssetViewFilenameEncoding/ > > Ok, but this will not work for the phar archive as the anyway, the space > is not allowed by the phar filtering regex. Allowing a lot of different > characters in the path is a can of worms. So before "allowing" I will > dig further to find something which will not allow an attacker to forge > a request to get for example a source file. > > loïc > > > On Thu, Sep 15, 2011 at 3:22 PM, Loic d'Anterroches <loic@ceondo.com> > wrote: > > > >> Hello, > >> > >>> The class photon\view\AssetDir don't use the method 'urldecode' before > >>> the evaluation of the file requested. > >>> So we can try to access to filename like 'img/fig%20a.png' on the disk > >>> instead of 'img/fig a.png' > >>> > >>> The issue touch both serve and serveFromPhar methods. > >> > >> Do you have a quick patch? > >> > >> loïc > >> > > > > > > > -- --------------------------------------------------------- William MARTIN wysman @NoSpAm@ gmail @DoT@ com
Hello, > About asset from a phar, > All files in the phar are compressed with GZ, and most of web viewer accept > answer compressed in GZ. It's can be checked in the HTTP headers. > Actually, the file is uncompressed (use more CPU) and send uncompressed (use > more bandwise). > > Did they have a way to extract the file from the phar without uncompress it > ? I think you can. At the moment, the files are GZ compressed because I set so in the the way the .phar is built, we can adjust this in the future. In fact, we can store a compressed and a non compressed version if needed. We have a lot of flexibilities to have an optimized content in the .phar. loïc > On Tue, Sep 20, 2011 at 9:35 AM, Loic d'Anterroches <loic@ceondo.com> wrote: > >> >> >> On 2011-09-15 17:43, William MARTIN wrote: >>> >> http://code.power-lan.com/p/photon/source/tree/fix.AssetViewFilenameEncoding/ >> >> Ok, but this will not work for the phar archive as the anyway, the space >> is not allowed by the phar filtering regex. Allowing a lot of different >> characters in the path is a can of worms. So before "allowing" I will >> dig further to find something which will not allow an attacker to forge >> a request to get for example a source file. >> >> loïc >> >>> On Thu, Sep 15, 2011 at 3:22 PM, Loic d'Anterroches <loic@ceondo.com> >> wrote: >>> >>>> Hello, >>>> >>>>> The class photon\view\AssetDir don't use the method 'urldecode' before >>>>> the evaluation of the file requested. >>>>> So we can try to access to filename like 'img/fig%20a.png' on the disk >>>>> instead of 'img/fig a.png' >>>>> >>>>> The issue touch both serve and serveFromPhar methods. >>>> >>>> Do you have a quick patch? >>>> >>>> loïc >>>> >>> >>> >>> >> > > >