Issue Details (XML | Word | Printable)

Key: ZF-5748
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Matthew Weier O'Phinney
Reporter: Matthew Weier O'Phinney
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Google issue summary
Zend Framework

Zend_View render() allows parent directory notation, opening potential LFI exploit

Created: 11/Feb/09 11:39 AM   Updated: 04/Aug/09 08:39 AM  Due: 12/Feb/09   Resolved: 04/Aug/09 08:39 AM
Return to search "Fixed in 1.5.1"
Component/s: Zend_View
Affects Version/s: None
Fix Version/s: 1.9.1

Time Tracking:
Original Estimate: 15 minutes
Original Estimate - 15 minutes
Remaining Estimate: 15 minutes
Remaining Estimate - 15 minutes
Time Spent: Not Specified
Time Spent - Not Specified

File Attachments: 1. File patch (5 kB)
Issue Links:
Related
 

Fix Version Priority: Must Have


 Description  « Hide

Zend_View::render() currently allows script names that include parent directory notation – which could lead to a potential local filesystem inclusion exploit if provided unfiltered user input. As view scripts should only ever match beneath the registered view script directories, render() (or _script()) should filter for this sort of input and raise an exception when such input is detected.

Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Matthew Weier O'Phinney added a comment - 11/Feb/09 11:40 AM

Based on ZF-5724 submission, but specific to render() vs. the script paths.


[ Permalink | « Hide ]
Matthew Weier O'Phinney added a comment - 11/Feb/09 12:07 PM

Fix committed to trunk in r14049


[ Permalink | « Hide ]
Matthew Weier O'Phinney added a comment - 12/Feb/09 01:28 PM

Patch applied to 1.7 release branch
Atlassian JIRA (v4.0#466) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.