Commitb21025b

committed

security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas)

This PR was merged into the 3.4 branch.

2 parents0102134 +6be5cc7 commitb21025bCopy full SHA for b21025b

File tree

+12

-3

lines changed

+12

-3

lines changed

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ class FileBinaryMimeTypeGuesser implements MimeTypeGuesserInterface`
`31`	`31`	`*`
`32`	`32`	`* @param string $cmd The command to run to get the mime type of a file`
`33`	`33`	`*/`
`34`		`-publicfunction__construct($cmd ='file -b --mime %s 2>/dev/null')`
	`34`	`+publicfunction__construct($cmd ='file -b --mime--%s 2>/dev/null')`
`35`	`35`	`{`
`36`	`36`	`$this->cmd =$cmd;`
`37`	`37`	`}`
`@@ -80,7 +80,7 @@ public function guess($path)`
`80`	`80`	`ob_start();`
`81`	`81`
`82`	`82`	`// need to use --mime instead of -i. see #6641`
`83`		`-passthru(sprintf($this->cmd,escapeshellarg($path)),$return);`
	`83`	`+passthru(sprintf($this->cmd,escapeshellarg((0 ===strpos($path,'-') ?'./' :'').$path)),$return);`
`84`	`84`	`if ($return >0) {`
`85`	`85`	`ob_end_clean();`
`86`	`86`

35 Bytes

Binary file not shown.

Lines changed: 10 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,16 @@`
`20`	`20`	`*/`
`21`	`21`	`class MimeTypeTestextends TestCase`
`22`	`22`	`{`
`23`		`-protected$path;`
	`23`	`+publicfunctiontestGuessWithLeadingDash()`
	`24`	`+ {`
	`25`	`+$cwd =getcwd();`
	`26`	`+chdir(__DIR__.'/../Fixtures');`
	`27`	`+try {`
	`28`	`+$this->assertEquals('image/gif', MimeTypeGuesser::getInstance()->guess('-test'));`
	`29`	`+ }finally {`
	`30`	`+chdir($cwd);`
	`31`	`+ }`
	`32`	`+ }`
`24`	`33`
`25`	`34`	`publicfunctiontestGuessImageWithoutExtension()`
`26`	`35`	`{`

Comments

(0)