Skip to content

Commit

Permalink
fix security
Browse files Browse the repository at this point in the history
  • Loading branch information
tuunalai committed May 10, 2024
1 parent c607267 commit 0aa8f7e
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 1 deletion.
1 change: 1 addition & 0 deletions composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
"ext-json": "*",
"ext-simplexml": "*",
"ext-mbstring": "*",
"ext-libxml": "*",
"guzzlehttp/guzzle": "^6.2.1 || ^7.0",
"guzzlehttp/guzzle-services": "^1.1",
"guzzlehttp/psr7": "^1.3.1 || ^2.0"
Expand Down
27 changes: 26 additions & 1 deletion src/Client.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -553,10 +553,29 @@ public function upload($bucket, $key, $body, $options = array()) {
return $rt;
}

public static function simplifyPath($path) {
$names = explode("/", $path);
$stack = array();
foreach ($names as $name) {
if ($name == "..") {
if (!empty($stack)) {
array_pop($stack);
}
} elseif ($name && $name != ".") {
array_push($stack, $name);
}
}
return "/" . implode("/", $stack);
}

public function download($bucket, $key, $saveAs, $options = array()) {
$options['PartSize'] = isset($options['PartSize']) ? $options['PartSize'] : RangeDownload::DEFAULT_PART_SIZE;
$versionId = isset($options['VersionId']) ? $options['VersionId'] : '';

if ("/" == self::simplifyPath($key)) {
$e = new Exception\CosException('GET OBEJCT NOT FOUND');
$e->setExceptionCode('404');
throw $e;
}
$rt = $this->headObject(array(
'Bucket'=>$bucket,
'Key'=>$key,
Expand Down Expand Up @@ -664,6 +683,12 @@ public function doesObjectExist($bucket, $key, array $options = array())
}

public static function explodeKey($key) {

if ("/" == self::simplifyPath($key)) {
$e = new Exception\CosException('GET OBEJCT NOT FOUND');
$e->setExceptionCode('404');
throw $e;
}
// Remove a leading slash if one is found
$split_key = explode('/', $key && $key[0] == '/' ? substr($key, 1) : $key);
// Remove empty element
Expand Down
21 changes: 21 additions & 0 deletions src/ResultTransformer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,9 @@ public function ciContentInfoTransformer(CommandInterface $command, Result $resu
$length = intval($result['ContentLength']);
if($length > 0){
$content = $this->geCiContentInfo($result, $length);
if (version_compare(PHP_VERSION, '8.0.0', '<')) {
libxml_disable_entity_loader(true);
}
$obj = simplexml_load_string($content, "SimpleXMLElement", LIBXML_NOCDATA);
$xmlData = json_decode(json_encode($obj),true);
if ($picRuleSize == 1 && isset($xmlData['ProcessResults']['Object'])){
Expand All @@ -101,6 +104,9 @@ public function ciContentInfoTransformer(CommandInterface $command, Result $resu
$length = intval($result['ContentLength']);
if($length > 0){
$content = $this->geCiContentInfo($result, $length);
if (version_compare(PHP_VERSION, '8.0.0', '<')) {
libxml_disable_entity_loader(true);
}
$obj = simplexml_load_string($content, "SimpleXMLElement", LIBXML_NOCDATA);
$arr = json_decode(json_encode($obj),true);
$result['GuetzliStatus'] = isset($arr[0]) ? $arr[0] : '';
Expand All @@ -111,6 +117,9 @@ public function ciContentInfoTransformer(CommandInterface $command, Result $resu
$length = intval($result['ContentLength']);
if($length > 0){
$content = $this->geCiContentInfo($result, $length);
if (version_compare(PHP_VERSION, '8.0.0', '<')) {
libxml_disable_entity_loader(true);
}
$obj = simplexml_load_string($content, "SimpleXMLElement", LIBXML_NOCDATA);
$arr = json_decode(json_encode($obj),true);
$result['CIStatus'] = isset($arr[0]) ? $arr[0] : '';
Expand All @@ -122,6 +131,9 @@ public function ciContentInfoTransformer(CommandInterface $command, Result $resu
$length = intval($result['ContentLength']);
if($length > 0){
$content = $this->geCiContentInfo($result, $length);
if (version_compare(PHP_VERSION, '8.0.0', '<')) {
libxml_disable_entity_loader(true);
}
$obj = simplexml_load_string($content, "SimpleXMLElement", LIBXML_NOCDATA);
$arr = json_decode(json_encode($obj),true);
$result['OriginProtectStatus'] = isset($arr[0]) ? $arr[0] : '';
Expand All @@ -133,6 +145,9 @@ public function ciContentInfoTransformer(CommandInterface $command, Result $resu
$length = intval($result['ContentLength']);
if($length > 0){
$content = $this->geCiContentInfo($result, $length);
if (version_compare(PHP_VERSION, '8.0.0', '<')) {
libxml_disable_entity_loader(true);
}
$obj = simplexml_load_string($content, "SimpleXMLElement", LIBXML_NOCDATA);
$arr = json_decode(json_encode($obj),true);
$result['Hotlink'] = $arr;
Expand All @@ -144,6 +159,9 @@ public function ciContentInfoTransformer(CommandInterface $command, Result $resu
$length = intval($result['ContentLength']);
if($length > 0){
$content = $this->geCiContentInfo($result, $length);
if (version_compare(PHP_VERSION, '8.0.0', '<')) {
libxml_disable_entity_loader(true);
}
$obj = simplexml_load_string($content, "SimpleXMLElement", LIBXML_NOCDATA);
$arr = json_decode(json_encode($obj),true);
$result['TranslationResult'] = isset($arr[0]) ? $arr[0] : '';
Expand Down Expand Up @@ -204,6 +222,9 @@ public function ciContentInfoTransformer(CommandInterface $command, Result $resu
$length = intval($result['ContentLength']);
if($length > 0){
$content = $this->geCiContentInfo($result, $length);
if (version_compare(PHP_VERSION, '8.0.0', '<')) {
libxml_disable_entity_loader(true);
}
$obj = simplexml_load_string($content, "SimpleXMLElement", LIBXML_NOCDATA);
$xmlData = json_decode(json_encode($obj),true);
$result['Response'] = $xmlData;
Expand Down

0 comments on commit 0aa8f7e

Please sign in to comment.