Fix possible vendor-dir "evasion" via target-dir

2012-09-18 18:30:11 +02:00 · 2012-09-18 18:30:11 +02:00 · f377e9ca87
parent ebc9c73008
commit f377e9ca87
2 changed files with 20 additions and 1 deletions
--- a/src/Composer/Package/Package.php
+++ b/src/Composer/Package/Package.php
@ -114,7 +114,11 @@ class Package extends BasePackage
     */
    public function getTargetDir()
    {
-        return $this->targetDir;
+        if (null === $this->targetDir) {
+            return;
+        }
+
+        return ltrim(preg_replace('{ (?:^|[\\\\/]) \.\.? (?:[\\\\/]|$) (?:\.\.? (?:[\\\\/]|$) )*}x', '/', $this->targetDir), '/');
    }

    /**
--- a/tests/Composer/Test/Package/CompletePackageTest.php
+++ b/tests/Composer/Test/Package/CompletePackageTest.php
@ -71,4 +71,19 @@ class CompletePackageTest extends TestCase
        $this->assertEquals(strtolower($name).'-'.$normVersion, (string) $package);
    }

+    public function testGetTargetDir()
+    {
+        $package = new Package('a', '1.0.0.0', '1.0');
+
+        $this->assertNull($package->getTargetDir());
+
+        $package->setTargetDir('./../foo/');
+        $this->assertEquals('foo/', $package->getTargetDir());
+
+        $package->setTargetDir('foo/../../../bar/');
+        $this->assertEquals('foo/bar/', $package->getTargetDir());
+
+        $package->setTargetDir('../..');
+        $this->assertEquals('', $package->getTargetDir());
+    }
 }