diff --git a/lib/Template/Filters.pm b/lib/Template/Filters.pm index e82adde1..8bc24a3d 100644 --- a/lib/Template/Filters.pm +++ b/lib/Template/Filters.pm @@ -639,8 +639,8 @@ sub redirect_filter_factory { 'OUTPUT_PATH is not set')) unless $outpath; - $context->throw('redirect', "relative filenames are not supported: $file") - if $file =~ m{(^|/)\.\./}; + $context->throw('redirect', "path traversal is not permitted: $file") + if $file =~ m{(^|[\\/])\.\.([\\/]|$)}; $options = { binmode => $options } unless ref $options; diff --git a/t/filter.t b/t/filter.t index e1aa2b4c..10616446 100644 --- a/t/filter.t +++ b/t/filter.t @@ -981,3 +981,39 @@ foo(bar) [% "foo(bar)" | uri %] -- expect -- foo(bar) + +-- test -- +-- use evalperl -- +[% TRY -%] +[% FILTER redirect('../traversal') %] +should not reach here +[% END -%] +[% CATCH -%] +ERROR [% error.type %]: [% error.info %] +[% END %] +-- expect -- +ERROR redirect: path traversal is not permitted: ../traversal + +-- test -- +-- use evalperl -- +[% TRY -%] +[% FILTER redirect('..') %] +should not reach here +[% END -%] +[% CATCH -%] +ERROR [% error.type %]: [% error.info %] +[% END %] +-- expect -- +ERROR redirect: path traversal is not permitted: .. + +-- test -- +-- use evalperl -- +[% TRY -%] +[% FILTER redirect('sub/../escape') %] +should not reach here +[% END -%] +[% CATCH -%] +ERROR [% error.type %]: [% error.info %] +[% END %] +-- expect -- +ERROR redirect: path traversal is not permitted: sub/../escape diff --git a/t/vars.t b/t/vars.t index 8faac9fd..b2822884 100644 --- a/t/vars.t +++ b/t/vars.t @@ -87,6 +87,8 @@ my $params = { expose => sub { undef $Template::Stash::PRIVATE }, add => sub { $_[0] + $_[1] }, + 'numlist' => [ 10, 20, 30 ], + # don't define a 'z' - DEFAULT test relies on its non-existance }; @@ -463,7 +465,7 @@ bravo -- test -- [% a = '' b = '' -%] -[% DEFAULT +[% DEFAULT a = c b = d z = r @@ -472,6 +474,17 @@ bravo -- expect -- charlie delta romeo +-- test -- +[% DEFAULT numlist.0 = 999 -%] +[% numlist.0 %] +-- expect -- +10 + +-- test -- +[% DEFAULT numlist.3 = 40 -%] +[% numlist.3 %] +-- expect -- +40 #------------------------------------------------------------------------ # 'global' vars