fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-01 17:42:11 +09:00
Code Issues Projects Releases Packages Wiki Activity

Add 'command' type to R\F\Security::sanitize()

Browse source
This commit is contained in:
Kijin Sung 2026-03-31 21:02:33 +09:00
parent ae44685306
commit b1f84365a5
2 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
common/framework/Security.php
View file

@ -37,13 +37,19 @@ class Security
case 'filename':
if (!utf8_check($input)) return false;
return Filters\FilenameFilter::clean($input);
// Clean up SVG content to prevent various attacks.
case 'svg':
if (!utf8_check($input)) return false;
$sanitizer = new \enshrined\svgSanitize\Sanitizer();
return strval($sanitizer->sanitize($input));
// Clean up a path to prevent argument injection.
case 'command':
if (!utf8_check($input)) return false;
if (\RX_WINDOWS || preg_match('![^a-z0-9/._-]!', $input)) return escapeshellarg($input);
return strval($input);
// Unknown filters.
default:
throw new Exception('Unknown filter type for sanitize: ' . $type);

11
tests/unit/framework/SecurityTest.php
View file

@ -25,6 +25,17 @@ class SecurityTest extends \Codeception\Test\Unit
$source = '<svg><rect></rect><script></script></svg>';
$target = '<?xml version="1.0" encoding="UTF-8"?>' . "\n<svg>\n <rect></rect>\n</svg>\n";
$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'svg'));
// Command
if (!\RX_WINDOWS)
{
$source = '/usr/bin/ffmpeg';
$target = '/usr/bin/ffmpeg';
$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'command'));
$source = '/usr/bin/path with space/ffmpeg';
$target = '\'/usr/bin/path with space/ffmpeg\'';
$this->assertEquals($target, Rhymix\Framework\Security::sanitize($source, 'command'));
}
}
public function testEncryption()