From aaf931a5e8a76cc25ae404eae657801c47508fe6 Mon Sep 17 00:00:00 2001 From: Alexander Makarov Date: Fri, 10 Jul 2015 12:34:09 +0300 Subject: [PATCH] Fixes #9070: Fixed `ViewAction::resolveViewName()` not to accept `/../` and `/./` --- framework/CHANGELOG.md | 1 + framework/web/ViewAction.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md index 51a99c7ceb..19c9a6bd14 100644 --- a/framework/CHANGELOG.md +++ b/framework/CHANGELOG.md @@ -24,6 +24,7 @@ Yii Framework 2 Change Log - Bug #8772: ActiveQuery failed removing duplicate records after join when the resultset did not contain the pk values e.g. after grouping (cebe) - Bug #8900: Fixed determine active menu item with url-alias in route `\yii\widgets\Menu::isItemActive()` (demi) - Bug #9046: Fixed problem with endless error loop when an error occurred after sending a stream or file download response to the user (cebe) +- Bug #9070: Fixed `ViewAction::resolveViewName()` not to accept `/../` and `/./` (thejahweh, samdark) - Bug: Fixed string comparison in `BaseActiveRecord::unlink()` which may result in wrong comparison result for hash valued primary keys starting with `0e` (cebe) - Bug: Pass correct action name to `yii\console\Controller::options()` when default action was requested (cebe) - Bug: Automatic garbage collection in `yii\caching\FileCache` was not triggered (kidol) diff --git a/framework/web/ViewAction.php b/framework/web/ViewAction.php index 8c6a1a6894..3b0df40ae2 100644 --- a/framework/web/ViewAction.php +++ b/framework/web/ViewAction.php @@ -119,9 +119,9 @@ class ViewAction extends Action { $viewName = Yii::$app->request->get($this->viewParam, $this->defaultView); - if (!is_string($viewName) || !preg_match('/^\w[\w\/\-\.]*$/', $viewName)) { + if (!is_string($viewName) || !preg_match('~^\w(?:(?!\/\.{0,2}\/)[\w\/\-\.])*$~', $viewName)) { if (YII_DEBUG) { - throw new NotFoundHttpException("The requested view \"$viewName\" must start with a word character and can contain only word characters, forward slashes, dots and dashes."); + throw new NotFoundHttpException("The requested view \"$viewName\" must start with a word character, must not contain /../ or /./, can contain only word characters, forward slashes, dots and dashes."); } else { throw new NotFoundHttpException(Yii::t('yii', 'The requested view "{name}" was not found.', ['name' => $viewName])); }