Closed dave-newson closed 8 years ago
When either a script or CSS URL includes directory traversal (../), the minifier gets passed an incorrect path, where "../" has been modified to "./"
\BWP_MINIFY::process_media_source
process_media_source('http://example.com/plugin/assets/js/derp/../main.js') // Outcome: plugin/assets/derp/js/./main.js // Desired: plugin/assets/js/main.js
process_media_source('http://example.com/plugin/assets/js/derp/derp/../../main.js') // Outcome: plugin/assets/js/derp/derp/././main.js // Desired: plugin/assets/js/main.js
process_media_source already does some hairy stuff with the path string, so why not try resolving the traversal with regex: http://stackoverflow.com/questions/20522605/what-is-the-best-way-to-resolve-a-relative-path-like-realpath-for-non-existing
// ~line 2680 // Regex for resolving relative paths $regex = '#\/*[^/\.]+/\.\.#Uu'; while (preg_match($regex, $src)) { $src = preg_replace($regex, '', $src); }
Still goes south if you try to traverse higher than the root, but that's probably OK as its a bad URL anyway:
$this->process_media_source('http://example.com/../../main.js') // Outcome: ././main.js
Alternatively before the call to $src = str_replace('./', '/', $src);, replace all instances of '../' with '' (empty string), like what happpens with the real URL.
$src = str_replace('./', '/', $src);
This is actually a duplicate of https://github.com/OddOneOut/bwp-minify/issues/50 , so I will close this issue for now. If you want to reopen, let me know.
When either a script or CSS URL includes directory traversal (../), the minifier gets passed an incorrect path, where "../" has been modified to "./"
Code
\BWP_MINIFY::process_media_source
Examples
Possible solution
process_media_source already does some hairy stuff with the path string, so why not try resolving the traversal with regex: http://stackoverflow.com/questions/20522605/what-is-the-best-way-to-resolve-a-relative-path-like-realpath-for-non-existing
Still goes south if you try to traverse higher than the root, but that's probably OK as its a bad URL anyway:
Alternatively before the call to
$src = str_replace('./', '/', $src);
, replace all instances of '../' with '' (empty string), like what happpens with the real URL.