search

qbdsoft / owasp-esapi-php

Automatically exported from code.google.com/p/owasp-esapi-php
Other
0 stars 0 forks source link

SafeFileTest testSafeFile fails to create an instance of SafeFile on PHP 5.2.0 and packages derived from it. #35

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
SafeFileTest testSafeFile fails to create an instance of SafeFile with $path:

/var/www/vhosts/user.name/httpdocs/esapi-php/test/testresources/ESAPI.xml

on PHP 5.2.0-8+etch16.  Here's the simpletest message:

Exception:
/var/www/vhosts/user.name/httpdocs/esapi-php/test/reference/SafeFileTest.php ->
SafeFileTest -> testSafeFile -> Unexpected exception of type
[ValidationException] with message [Invalid file] in
[/var/www/vhosts/user.name/httpdocs/esapi-php/src/SafeFile.php line 118]

and Auditor entry:

2010-04-14 19:57:45 +01:00 WARNING IntrusionDetector SECURITY-FAILURE File
path
(/var/www/vhosts/user.name/httpdocs/esapi-php/test/testresources/ESAPI.xml)
contains illegal character. exception 'ValidationException' with message
'Invalid file' in
/var/www/vhosts/user.name/httpdocs/esapi-php/src/SafeFile.php:118
| Stack trace:
| #0 /var/www/vhosts/user.name/httpdocs/esapi-php/src/SafeFile.php(70):
SafeFile->_doFileCheck('/var/www/vhosts...')
| #1
/var/www/vhosts/user.name/httpdocs/esapi-php/test/reference/SafeFileTest.php(42)
:
SafeFile->__construct('/var/www/vhosts...')
| #2
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/invoker.php(68): 
SafeFileTest->testSafeFile()
| #3
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/invoker.php(126):
SimpleInvoker->invoke('testSafeFile')
| #4
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/errors.php(49):
SimpleInvokerDecorator->invoke('testSafeFile')
| #5
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/invoker.php(126):
SimpleErrorTrappingInvoker->invoke('testSafeFile')
| #6
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/exceptions.php(43):
SimpleInvokerDecorator->invoke('testSafeFile')
| #7
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/test_case.php(143):
SimpleExceptionTrappingInvoker->invoke('testSafeFile')
| #8
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/test_case.php(585):
SimpleTestCase->run(Object(HtmlReporter))
| #9
/var/www/vhosts/user.name/httpdocs/esapi-php/lib/simpletest/test_case.php(588):
TestSuite->run(Object(HtmlReporter))
| #10 /var/www/vhosts/user.name/httpdocs/esapi-php/test/AllTests.php(41):
TestSuite->run(Object(HtmlReporter))
| #11 {main}

We can see from the stack trace (and I've manually verified it) that
_doFileCheck is passed a full filepath rather than the file name.  This is
because SafeFile::getFileName returns the full path.
At this moment, I do not know why this happens.  I found PHP Bug 48788
which may or may not be related http://bugs.php.net/bug.php?id=48788

Original issue reported on code.google.com by jahboite@gmail.com on 14 Apr 2010 at 8:14

GoogleCodeExporter commented 9 years ago 
This is described in http://php.net/manual/en/migration52.incompatible.php :-

SplFileObject::getFilename() returns the filename, not relative/path/to/file, 
as of
PHP 5.2.1

so in 5.2.0 and packages derived from it, SplFileObject::getFilename() returns 
the
relative path to the file.  This can be worked around!

Original comment by jahboite@gmail.com on 20 Apr 2010 at 9:20

GoogleCodeExporter commented 9 years ago 
A workaround for this issue was added in r732

Original comment by jahboite@gmail.com on 20 Apr 2010 at 2:27