ZF-5748 - Issues - Zend Framework

ZF-5748: Zend_View render() allows parent directory notation, opening potential LFI exploit

Issue Type:

Bug

Created:

2009-02-11T11:39:41.000+0000

Last Updated:

2009-08-04T08:39:04.000+0000

Status:

Resolved

Fix version(s):

1.9.1 (11/Aug/09)

Reporter:

Matthew Weier O'Phinney (matthew)

Assignee:

Matthew Weier O'Phinney (matthew)

Tags:

Zend_View

Related issues:

ZF-5724

Attachments:

patch

Description

Zend_View::render() currently allows script names that include parent directory notation -- which could lead to a potential local filesystem inclusion exploit if provided unfiltered user input. As view scripts should only ever match beneath the registered view script directories, render() (or _script()) should filter for this sort of input and raise an exception when such input is detected.

Comments

Posted by Matthew Weier O'Phinney (matthew) on 2009-02-11T11:40:33.000+0000

Based on ZF-5724 submission, but specific to render() vs. the script paths.

Posted by Matthew Weier O'Phinney (matthew) on 2009-02-11T12:07:14.000+0000

Fix committed to trunk in r14049

Posted by Matthew Weier O'Phinney (matthew) on 2009-02-12T13:28:27.000+0000

Patch applied to 1.7 release branch