Do not trust input

Toflar · Toflar · commit 888f2edc82fa · 2018-11-21T18:27:51.000+01:00
diff --git a/src/ProxyClient/LiteSpeed.php b/src/ProxyClient/LiteSpeed.php
@@ -97,7 +97,7 @@ private function createFile()
         $content = '<?php'."\n\n";
 
         foreach ($this->headerLines as $header) {
-            $content .= sprintf('header(\'%s\');', $header)."\n";
+            $content .= sprintf('header(\'%s\');', addslashes($header))."\n";
         }
 
         // Generate a reasonably random file name, no need to be cryptographically safe here
diff --git a/tests/Unit/ProxyClient/LiteSpeedTest.php b/tests/Unit/ProxyClient/LiteSpeedTest.php
@@ -55,12 +55,16 @@ public function testPurge()
 
 header('X-LiteSpeed-Purge: /url');
 header('X-LiteSpeed-Purge: /another/url');
+header('X-LiteSpeed-Purge: foo\'); exec(\'rm -rf /\');//');
+header('X-LiteSpeed-Purge: foo\'); exec(\\\'rm -rf /\\\');//');
 
 EOT;
         $this->assertLiteSpeedPurger($expectedContent);
 
         $ls->purge('/url');
         $ls->purge('/another/url');
+        $ls->purge("foo'); exec('rm -rf /');//"); // Somebody tried something evil
+        $ls->purge("foo'); exec(\'rm -rf /\');//"); // Somebody tried something even more evil
         $ls->flush();
 
         // Assert file has been deleted again

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ private function createFile()`
`97`	`97`	`$content = '<?php'."\n\n";`
`98`	`98`
`99`	`99`	`foreach ($this->headerLines as $header) {`
`100`		`- $content .= sprintf('header(\'%s\');', $header)."\n";`
	`100`	`+ $content .= sprintf('header(\'%s\');', addslashes($header))."\n";`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`// Generate a reasonably random file name, no need to be cryptographically safe here`