-
Notifications
You must be signed in to change notification settings - Fork 9
/
Path.php
178 lines (160 loc) · 5.12 KB
/
Path.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
<?php
namespace dokuwiki\plugin\filelist;
class Path
{
protected $paths = [];
/**
* @param string $pathConfig The path configuration ftom the plugin settings
*/
public function __construct($pathConfig)
{
$this->paths = $this->parsePathConfig($pathConfig);
}
/**
* Access the parsed paths
*
* @return array
*/
public function getPaths()
{
return $this->paths;
}
/**
* Parse the path configuration into an internal array
*
* roots (and aliases) are always saved with a trailing slash
*
* @return array
*/
protected function parsePathConfig($pathConfig)
{
$paths = [];
$lines = explode("\n", $pathConfig);
$lastRoot = '';
foreach ($lines as $line) {
$line = trim($line);
if (empty($line)) {
continue;
}
if (str_starts_with($line, 'A>')) {
// this is an alias for the last read root
$line = trim(substr($line, 2));
if (!isset($paths[$lastRoot])) continue; // no last root, no alias
$alias = static::cleanPath($line);
$paths[$lastRoot]['alias'] = $alias;
$paths[$alias] = &$paths[$lastRoot]; // alias references the original
} elseif (str_starts_with($line, 'W>')) {
// this is a web path for the last read root
$line = trim(substr($line, 2));
if (!isset($paths[$lastRoot])) continue; // no last path, no web path
$paths[$lastRoot]['web'] = $line;
} else {
// this is a new path
$line = static::cleanPath($line);
$lastRoot = $line;
$paths[$line] = [
'root' => $line,
'web' => DOKU_BASE . 'lib/plugins/filelist/file.php?root=' . rawurlencode($line) . '&file=',
];
}
}
return $paths;
}
/**
* Check if a given path is listable and return it's configuration
*
* @param string $path
* @param bool $addTrailingSlash
* @return array
* @throws \Exception if the given path is not allowed
*/
public function getPathInfo($path, $addTrailingSlash = true)
{
$path = static::cleanPath($path, $addTrailingSlash);
$paths = $this->paths;
if ($paths === []) {
throw new \Exception('No paths configured');
}
$allowed = array_keys($paths);
usort($allowed, static fn($a, $b) => strlen($a) - strlen($b));
$allowed = array_map('preg_quote_cb', $allowed);
$regex = '/^(' . implode('|', $allowed) . ')/';
if (!preg_match($regex, $path, $matches)) {
throw new \Exception('Path not allowed: ' . $path);
}
$match = $matches[1];
$pathInfo = $paths[$match];
$pathInfo['local'] = substr($path, strlen($match));
$pathInfo['path'] = $pathInfo['root'] . $pathInfo['local'];
return $pathInfo;
}
/**
* Clean a path for better comparison
*
* Converts all backslashes to forward slashes
* Keeps leading double backslashes for UNC paths
* Ensure a single trailing slash unless disabled
*
* @param string $path
* @return string
*/
public static function cleanPath($path, $addTrailingSlash = true)
{
if (str_starts_with($path, '\\\\')) {
$unc = '\\\\';
} else {
$unc = '';
}
$path = ltrim($path, '\\');
$path = str_replace('\\', '/', $path);
$path = self::realpath($path);
if ($addTrailingSlash) {
$path = rtrim($path, '/');
$path .= '/';
}
return $unc . $path;
}
/**
* Canonicalizes a given path. A bit like realpath, but without the resolving of symlinks.
*
* @author anonymous
* @see <http://www.php.net/manual/en/function.realpath.php#73563>
*/
public static function realpath($path)
{
$path = explode('/', $path);
$output = [];
$counter = count($path);
for ($i = 0; $i < $counter; $i++) {
if ('.' == $path[$i]) continue;
if ('' === $path[$i] && $i > 0) continue;
if ('..' == $path[$i] && '..' != ($output[count($output) - 1] ?? '')) {
array_pop($output);
continue;
}
$output[] = $path[$i];
}
return implode('/', $output);
}
/**
* Check if the given path is within the data or dokuwiki dir
*
* This whould prevent accidental or deliberate circumvention of the ACLs
*
* @param string $path and already cleaned path
* @return bool
*/
public static function isWikiControlled($path)
{
global $conf;
$dataPath = self::cleanPath($conf['savedir']);
if (str_starts_with($path, $dataPath)) {
return true;
}
$wikiDir = self::cleanPath(DOKU_INC);
if (str_starts_with($path, $wikiDir)) {
return true;
}
return false;
}
}