diff --git a/core/lib/Drupal/Core/StreamWrapper/LocalStream.php b/core/lib/Drupal/Core/StreamWrapper/LocalStream.php index 4612937..9470987 100644 --- a/core/lib/Drupal/Core/StreamWrapper/LocalStream.php +++ b/core/lib/Drupal/Core/StreamWrapper/LocalStream.php @@ -126,15 +126,41 @@ protected function getLocalPath($uri = NULL) { if (!isset($uri)) { $uri = $this->uri; } - $path = $this->getDirectoryPath() . '/' . $this->getTarget($uri); + + // Split the target path into by directory separators. + $target_parts = preg_split('@[/\\\\]+@', $this->getTarget($uri)); + + // Strip out all current directory references, '.' + for ($i = 0; $i < count($target_parts); $i++) { + if ("." === $target_parts[$i] || "" === $target_parts[$i]) { + array_splice($target_parts, $i, 1); + $i - 1; + } + } + + // Walk the path parts, resolving parent directory references, '..' + for ($i = 0; $i < count($target_parts); $i++) { + if (".." === $target_parts[$i]) { + // Can't walk out of the directory! + if($i === 0) { + return FALSE; + } + // Remove parent directory reference and parent directory. + array_splice($target_parts, $i - 1, 2); + $i -= 2; + } + } + + // Get the target path relative to the files repository. + $path = $this->getDirectoryPath() . DIRECTORY_SEPARATOR . implode(DIRECTORY_SEPARATOR, $target_parts); $realpath = realpath($path); if (!$realpath) { - // This file does not yet exist. - $realpath = realpath(dirname($path)) . '/' . drupal_basename($path); - } - $directory = realpath($this->getDirectoryPath()); - if (!$realpath || !$directory || strpos($realpath, $directory) !== 0) { - return FALSE; + // This file does not yet exist. If the directory exists then + // it should be okay. + $realpath = realpath(dirname($path)); + if ($realpath) { + $realpath .= DIRECTORY_SEPARATOR . drupal_basename($path); + } } return $realpath; }