Improve traversal detection code.

Maikuolan · Maikuolan · commit ec90fcf70080 · 2025-09-03T15:53:06.000+08:00
diff --git a/Changelog.md b/Changelog.md
@@ -214,3 +214,4 @@ __*Why "v3.0.0" instead of "v1.0.0?"*__ Prior to phpMussel v3, the "phpMussel Co
 
 - [2025.08.31]: Slightly reworked the various front-end themes.
 - [2025.08.31]: Slightly reworked the logs page and the configuration page.
+- [2025.09.03]: Slightly improved the code for traversal detection.
diff --git a/src/FrontEnd.php b/src/FrontEnd.php
@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Front-end handler (last modified: 2025.09.01).
+ * This file: Front-end handler (last modified: 2025.09.03).
  */
 
 namespace phpMussel\FrontEnd;
@@ -859,6 +859,20 @@ public function logsRecursiveList(): array
         return $Items;
     }
 
+    /**
+     * Traversal detection.
+     *
+     * @param string $Path The path to check for traversal.
+     * @return bool True when the path is traversal-free. False when traversal has been detected.
+     */
+    public function freeFromTraversal(string $Path): bool
+    {
+        return !preg_match(
+            '~//|(?:[^\da-z\p{L}\p{N}\p{M}\p{P}\p{S}\p{Z}.]|[\\/?&=]|^)\.\.+(?:[^\da-z\p{L}\p{N}\p{M}\p{P}\p{S}\p{Z}.]|[\\/?&=]|$)|/\.+(?:[^\da-z\p{L}\p{N}\p{M}\p{P}\p{S}\p{Z}.]|[\\/?&=]|$)|(?:[^\da-z\p{L}\p{N}\p{M}\p{P}\p{S}\p{Z}.]|[\\/?&=])\.+/|[\x01-\x1F]~i',
+            str_ireplace(['%25', '%22', '%27', '%2e', '%2f', '%5b', '%5c', '%5d', '%5e', '%5f', '%60', '\\'], ['%', '"', '\'', '.', '/', '[', '/', ']', '^', '_', '`', '/'], $Path)
+        );
+    }
+
     /**
      * Format filesize information.
      *
@@ -899,20 +913,6 @@ private function filterByDefined(string $ChoiceKey): bool
         return defined($ChoiceKey);
     }
 
-    /**
-     * Traversal detection.
-     *
-     * @param string $Path The path to check for traversal.
-     * @return bool True when the path is traversal-free. False when traversal has been detected.
-     */
-    private function freeFromTraversal(string $Path): bool
-    {
-        return !preg_match(
-            '~(?://|(?<![\da-z])\.\.(?![\da-z])|/\.(?![\da-z])|(?<![\da-z])\./|[\x01-\x1F\[-^`?*$])~i',
-            str_replace('\\', '/', $Path)
-        );
-    }
-
     /**
      * Get the appropriate path for a specified asset as per the defined theme.
      *

Original file line number	Diff line number	Diff line change
`@@ -214,3 +214,4 @@ __Why "v3.0.0" instead of "v1.0.0?"__ Prior to phpMussel v3, the "phpMussel Co`
`214`	`214`
`215`	`215`	`- [2025.08.31]: Slightly reworked the various front-end themes.`
`216`	`216`	`- [2025.08.31]: Slightly reworked the logs page and the configuration page.`
	`217`	`+- [2025.09.03]: Slightly improved the code for traversal detection.`