From: Russ Nelson Date: Tue, 28 Jun 2011 22:00:21 +0000 (+0000) Subject: UploadStashFile::__construct() can't assume that the mwrepo-produced paths match... X-Git-Tag: 1.31.0-rc.0~29208 X-Git-Url: http://git.cyclocoop.org/%22.%24image2.%22?a=commitdiff_plain;h=2fe1420f43f65f919b0a3116292c8d8b095c5477;p=lhc%2Fweb%2Fwiklou.git UploadStashFile::__construct() can't assume that the mwrepo-produced paths match the temp zone. --- diff --git a/includes/upload/UploadStash.php b/includes/upload/UploadStash.php index 8432f0d4f3..baa50e6beb 100644 --- a/includes/upload/UploadStash.php +++ b/includes/upload/UploadStash.php @@ -258,20 +258,21 @@ class UploadStashFile extends UnregisteredLocalFile { // resolve mwrepo:// urls if ( $repo->isVirtualUrl( $path ) ) { $path = $repo->resolveVirtualUrl( $path ); - } + } else { - // check if path appears to be sane, no parent traversals, and is in this repo's temp zone. - $repoTempPath = $repo->getZonePath( 'temp' ); - if ( ( ! $repo->validateFilename( $path ) ) || - ( strpos( $path, $repoTempPath ) !== 0 ) ) { - wfDebug( "UploadStash: tried to construct an UploadStashFile from a file that should already exist at '$path', but path is not valid\n" ); - throw new UploadStashBadPathException( 'path is not valid' ); - } + // check if path appears to be sane, no parent traversals, and is in this repo's temp zone. + $repoTempPath = $repo->getZonePath( 'temp' ); + if ( ( ! $repo->validateFilename( $path ) ) || + ( strpos( $path, $repoTempPath ) !== 0 ) ) { + wfDebug( "UploadStash: tried to construct an UploadStashFile from a file that should already exist at '$path', but path is not valid\n" ); + throw new UploadStashBadPathException( 'path is not valid' ); + } - // check if path exists! and is a plain file. - if ( ! $repo->fileExists( $path, FileRepo::FILES_ONLY ) ) { - wfDebug( "UploadStash: tried to construct an UploadStashFile from a file that should already exist at '$path', but path is not found\n" ); - throw new UploadStashFileNotFoundException( 'cannot find path, or not a plain file' ); + // check if path exists! and is a plain file. + if ( ! $repo->fileExists( $path, FileRepo::FILES_ONLY ) ) { + wfDebug( "UploadStash: tried to construct an UploadStashFile from a file that should already exist at '$path', but path is not found\n" ); + throw new UploadStashFileNotFoundException( 'cannot find path, or not a plain file' ); + } } parent::__construct( false, $repo, $path, false );