From f3ad69181b8afed2c9edf7be5a2918144ff4ea32 Mon Sep 17 00:00:00 2001
From: Frank de Jonge <info@frankdejonge.nl>
Date: Wed, 23 Jun 2021 23:39:25 +0200
Subject: [PATCH] Reject paths with funky whitespace.

---
 .gitignore                    |  1 +
 src/CorruptedPathDetected.php | 17 +++++++++++++++++
 src/Util.php                  | 19 ++++++++++---------
 tests/UtilTests.php           | 20 ++++++++++++++++++--
 4 files changed, 46 insertions(+), 11 deletions(-)
 create mode 100644 src/CorruptedPathDetected.php

diff --git a/.gitignore b/.gitignore
index bd11bfd9d..bfcf19834 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .php_cs.cache
+.phpunit.result.cache
 php-cs-fixer
 bin
 composer.lock
diff --git a/src/CorruptedPathDetected.php b/src/CorruptedPathDetected.php
new file mode 100644
index 000000000..81a27e5f2
--- /dev/null
+++ b/src/CorruptedPathDetected.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace League\Flysystem;
+
+use LogicException;
+
+class CorruptedPathDetected extends LogicException implements FilesystemException
+{
+    /**
+     * @param string $path
+     * @return CorruptedPathDetected
+     */
+    public static function forPath($path)
+    {
+        return new CorruptedPathDetected("Corrupted path detected: " . $path);
+    }
+}
diff --git a/src/Util.php b/src/Util.php
index 76454a05e..1a2db718d 100644
--- a/src/Util.php
+++ b/src/Util.php
@@ -5,6 +5,8 @@
 use League\Flysystem\Util\MimeType;
 use LogicException;
 
+use function strcmp;
+
 class Util
 {
     /**
@@ -102,8 +104,7 @@ public static function normalizePath($path)
     public static function normalizeRelativePath($path)
     {
         $path = str_replace('\\', '/', $path);
-        $path = static::removeFunkyWhiteSpace($path);
-
+        $path =  static::removeFunkyWhiteSpace($path);
         $parts = [];
 
         foreach (explode('/', $path) as $part) {
@@ -127,11 +128,13 @@ public static function normalizeRelativePath($path)
             }
         }
 
-        return implode('/', $parts);
+        $path = implode('/', $parts);
+
+        return $path;
     }
 
     /**
-     * Removes unprintable characters and invalid unicode characters.
+     * Rejects unprintable characters and invalid unicode characters.
      *
      * @param string $path
      *
@@ -139,10 +142,8 @@ public static function normalizeRelativePath($path)
      */
     protected static function removeFunkyWhiteSpace($path)
     {
-        // We do this check in a loop, since removing invalid unicode characters
-        // can lead to new characters being created.
-        while (preg_match('#\p{C}+|^\./#u', $path)) {
-            $path = preg_replace('#\p{C}+|^\./#u', '', $path);
+        if (preg_match('#\p{C}+#u', $path)) {
+            throw CorruptedPathDetected::forPath($path);
         }
 
         return $path;
@@ -205,7 +206,7 @@ public static function emulateDirectories(array $listing)
         $listedDirectories = [];
 
         foreach ($listing as $object) {
-            list($directories, $listedDirectories) = static::emulateObjectDirectories($object, $directories, $listedDirectories);
+            [$directories, $listedDirectories] = static::emulateObjectDirectories($object, $directories, $listedDirectories);
         }
 
         $directories = array_diff(array_unique($directories), array_unique($listedDirectories));
diff --git a/tests/UtilTests.php b/tests/UtilTests.php
index 9ee36a175..c6481839e 100644
--- a/tests/UtilTests.php
+++ b/tests/UtilTests.php
@@ -35,6 +35,23 @@ public function testContentSize()
         $this->assertEquals(3, Util::contentSize('135'));
     }
 
+    /**
+     * @dataProvider dbCorruptedPath
+     */
+    public function testRejectingPathWithFunkyWhitespace($path)
+    {
+        $this->expectException(CorruptedPathDetected::class);
+        Util::normalizePath($path);
+    }
+
+    /**
+     * @return array
+     */
+    public function dbCorruptedPath()
+    {
+        return [["some\0/path.txt"], ["s\x09i.php"]];
+    }
+
     public function mapProvider()
     {
         return [
@@ -95,7 +112,7 @@ public function invalidPathProvider()
     }
 
     /**
-     * @dataProvider       invalidPathProvider
+     * @dataProvider invalidPathProvider
      */
     public function testOutsideRootPath($path)
     {
@@ -125,7 +142,6 @@ public function pathProvider()
             ['example/path/..txt', 'example/path/..txt'],
             ['\\example\\path.txt', 'example/path.txt'],
             ['\\example\\..\\path.txt', 'path.txt'],
-            ["some\0/path.txt", 'some/path.txt'],
         ];
     }