c33s/StaticPageContentBundle

susceptibility to directory transversal attacks?

jrobeson opened this issue · 5 comments

is there any way when simply accepting everything for a route path that it could lead to a directory transversal out of tree? or do the underlying symfony methods already protect against it?

note that in symfony cookbook it suggest that you use .+ over *

http://symfony.com/doc/current/cookbook/routing/slash_in_parameter.html

I will have a look at the directory traversal thing.

Regarding .+ vs .*: I have to re-check, there is a project where I needed the option to have an empty name for some reason. I think it depends on the use case.

i don't think we can really suggest that users ever use either of those. We need something better.

We could easily provide a ready-to-use routing.yml pointing to the base controller. In combination with the controller configuration you provided this makes an easy to use package:

  • configure default controller through config.yml
  • import shipped routing file, supplying a base path if required

That's it. Anyone doing their own routing can just copy the sample file.

I don't think there is an easier way that is more transparent. We'd probably have to supply our own Router implementation to make this work without configuring .+. I understand that this is not optimal, but on the other hand I don't think of it as a big issue for users.

c33s commented

for now we should use .+ (i really dislike opening security holes or attack possibilities), and find a solution for an empty name later.