ZF-5748: Zend_View render() allows parent directory notation, opening potential LFI exploit

Issue Type: Bug Created: 2009-02-11T11:39:41.000+0000 Last Updated: 2009-08-04T08:39:04.000+0000 Status: Resolved Fix version(s): - 1.9.1 (11/Aug/09)

Reporter: Matthew Weier O'Phinney (matthew) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_View

Related issues: - ZF-5724

Attachments: - patch


Zend_View::render() currently allows script names that include parent directory notation -- which could lead to a potential local filesystem inclusion exploit if provided unfiltered user input. As view scripts should only ever match beneath the registered view script directories, render() (or _script()) should filter for this sort of input and raise an exception when such input is detected.


Posted by Matthew Weier O'Phinney (matthew) on 2009-02-11T11:40:33.000+0000

Based on ZF-5724 submission, but specific to render() vs. the script paths.

Posted by Matthew Weier O'Phinney (matthew) on 2009-02-11T12:07:14.000+0000

Fix committed to trunk in r14049

Posted by Matthew Weier O'Phinney (matthew) on 2009-02-12T13:28:27.000+0000

Patch applied to 1.7 release branch

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.