MAGETWO-92162: [Backport for 2.2.x] Log File Validation

Oleksandr Gorkun · Oleksandr Gorkun · commit f969b9d93dc9 · 2018-06-13T11:04:04.000+03:00
diff --git a/dev/tests/functional/utils/log.php b/dev/tests/functional/utils/log.php
@@ -9,6 +9,11 @@
 }
 
 $name = urldecode($_GET['name']);
-$file = file_get_contents('../../../../var/log/' . $name);
+$logDir = realpath('../../../../var/log');
+$logFile = realpath($logDir .'/' .$name);
+if (!$logFile || !$logDir || mb_strpos($logFile, $logDir .'/') !== 0) {
+    throw new \InvalidArgumentException('Invalid log file name');
+}
+$file = file_get_contents($logFile);
 
 echo serialize($file);
