[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * Joomla! Content Management System
   5   *
   6   * @copyright  Copyright (C) 2005 - 2020 Open Source Matters, Inc. All rights reserved.
   7   * @license    GNU General Public License version 2 or later; see LICENSE.txt
   8   */
   9  
  10  namespace Joomla\CMS\Form\Rule;
  11  
  12  use Joomla\CMS\Filesystem\Path;
  13  use Joomla\CMS\Form\Form;
  14  use Joomla\CMS\Form\FormRule;
  15  use Joomla\Registry\Registry;
  16  
  17  // phpcs:disable PSR1.Files.SideEffects
  18  \defined('JPATH_PLATFORM') or die;
  19  // phpcs:enable PSR1.Files.SideEffects
  20  
  21  /**
  22   * Form Rule class for the Joomla Platform.
  23   *
  24   * @since  3.9.21
  25   */
  26  class FilePathRule extends FormRule
  27  {
  28      /**
  29       * Method to test if the file path is valid
  30       *
  31       * @param   \SimpleXMLElement  $element  The SimpleXMLElement object representing the `<field>` tag for the form field object.
  32       * @param   mixed              $value    The form field value to validate.
  33       * @param   string             $group    The field name group control value. This acts as an array container for the field.
  34       *                                       For example if the field has name="foo" and the group value is set to "bar" then the
  35       *                                       full field name would end up being "bar[foo]".
  36       * @param   Registry           $input    An optional Registry object with the entire data set to validate against the entire form.
  37       * @param   Form               $form     The form object for which the field is being tested.
  38       *
  39       * @return  boolean  True if the value is valid, false otherwise.
  40       *
  41       * @since   3.9.21
  42       */
  43      public function test(\SimpleXMLElement $element, $value, $group = null, Registry $input = null, Form $form = null)
  44      {
  45          $value = trim($value);
  46  
  47          // If the field is empty and not required, the field is valid.
  48          $required = ((string) $element['required'] == 'true' || (string) $element['required'] == 'required');
  49  
  50          if (!$required && empty($value)) {
  51              return true;
  52          }
  53  
  54          // Get the exclude setting from the xml
  55          $exclude = (array) explode('|', (string) $element['exclude']);
  56  
  57          // Exclude current folder '.' to be safe from full path disclosure
  58          $exclude[] = '.';
  59  
  60          // Check the exclude setting
  61          $path = preg_split('/[\/\\\\]/', $value);
  62  
  63          if (in_array(strtolower($path[0]), $exclude) || empty($path[0])) {
  64              return false;
  65          }
  66  
  67          // Prepend the root path
  68          $value = JPATH_ROOT . '/' . $value;
  69  
  70          // Check if $value is a valid path, which includes not allowing to break out of the current path
  71          try {
  72              Path::check($value);
  73          } catch (\Exception $e) {
  74              // When there is an exception in the check path this is not valid
  75              return false;
  76          }
  77  
  78          // When there are no exception this rule should pass.
  79          // See: https://github.com/joomla/joomla-cms/issues/30500#issuecomment-683290162
  80          return true;
  81      }
  82  }