-
Notifications
You must be signed in to change notification settings - Fork 507
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix CVE-2019-18888 issue in symfony/http-foundation
- Loading branch information
1 parent
ba8296e
commit c6b50b2
Showing
2 changed files
with
101 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
99 changes: 99 additions & 0 deletions
99
overrides/symfony/http-foundation/File/MimeType/FileBinaryMimeTypeGuesser.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\HttpFoundation\File\MimeType; | ||
|
|
||
| use Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException; | ||
| use Symfony\Component\HttpFoundation\File\Exception\FileNotFoundException; | ||
|
|
||
| /** | ||
| * Guesses the mime type with the binary "file" (only available on *nix). | ||
| * | ||
| * @author Bernhard Schussek <bschussek@gmail.com> | ||
| */ | ||
| class FileBinaryMimeTypeGuesser implements MimeTypeGuesserInterface | ||
| { | ||
| private $cmd; | ||
|
|
||
| /** | ||
| * The $cmd pattern must contain a "%s" string that will be replaced | ||
| * with the file name to guess. | ||
| * | ||
| * The command output must start with the mime type of the file. | ||
| * | ||
| * @param string $cmd The command to run to get the mime type of a file | ||
| */ | ||
| public function __construct($cmd = 'file -b --mime -- %s 2>/dev/null') | ||
| { | ||
| $this->cmd = $cmd; | ||
| } | ||
|
|
||
| /** | ||
| * Returns whether this guesser is supported on the current OS. | ||
| * | ||
| * @return bool | ||
| */ | ||
| public static function isSupported() | ||
| { | ||
| static $supported = null; | ||
|
|
||
| if (null !== $supported) { | ||
| return $supported; | ||
| } | ||
|
|
||
| if ('\\' === \DIRECTORY_SEPARATOR || !\function_exists('passthru') || !\function_exists('escapeshellarg')) { | ||
| return $supported = false; | ||
| } | ||
|
|
||
| ob_start(); | ||
| passthru('command -v file', $exitStatus); | ||
| $binPath = trim(ob_get_clean()); | ||
|
|
||
| return $supported = 0 === $exitStatus && '' !== $binPath; | ||
| } | ||
|
|
||
| /** | ||
| * {@inheritdoc} | ||
| */ | ||
| public function guess($path) | ||
| { | ||
| if (!is_file($path)) { | ||
| throw new FileNotFoundException($path); | ||
| } | ||
|
|
||
| if (!is_readable($path)) { | ||
| throw new AccessDeniedException($path); | ||
| } | ||
|
|
||
| if (!self::isSupported()) { | ||
| return; | ||
| } | ||
|
|
||
| ob_start(); | ||
|
|
||
| // need to use --mime instead of -i. see #6641 | ||
| passthru(sprintf($this->cmd, escapeshellarg((0 === strpos($path, '-') ? './' : '').$path)), $return); | ||
| if ($return > 0) { | ||
| ob_end_clean(); | ||
|
|
||
| return; | ||
| } | ||
|
|
||
| $type = trim(ob_get_clean()); | ||
|
|
||
| if (!preg_match('#^([a-z0-9\-]+/[a-z0-9\-\.]+)#i', $type, $match)) { | ||
| // it's not a type, but an error message | ||
| return; | ||
| } | ||
|
|
||
| return $match[1]; | ||
| } | ||
| } |