Merge pull request #218 from adrienperonnet/backport-fix-cve-2019-18888

Backport fix for cve-2019-18888

Author: j0k3r

lib/validator/sfValidatorFile.class.php

@@ -263,7 +263,9 @@ protected function guessFromFileBinary($file)
   {
     ob_start();
     //need to use --mime instead of -i. see #6641
-    passthru(sprintf('file -b --mime %s 2>/dev/null', escapeshellarg($file)), $return);
+    $cmd = 'file -b --mime -- %s 2>/dev/null';
+    $file = (0 === strpos($file, '-') ? './' : '').$file;
+    passthru(sprintf($cmd, escapeshellarg($file)), $return);
     if ($return > 0)
     {
       ob_end_clean();

test/unit/validator/sfValidatorFileTest.php

@@ -106,6 +106,7 @@ public function getMimeTypesFromCategory($category)
 $t->is($v->guessFromFileBinary($tmpDir.'/test.txt'), 'text/plain', '->guessFromFileBinary() guesses the type of a given file');
 $t->is($v->guessFromFileBinary($tmpDir.'/foo.txt'), null, '->guessFromFileBinary() returns null if the file type is not guessable');
 $t->is($v->guessFromFileBinary('/bin/ls'), (PHP_OS != 'Darwin') ? 'application/x-executable' : 'application/octet-stream', '->guessFromFileBinary() returns correct type if file is guessable');
+$t->is($v->guessFromFileBinary('-test'), null, '->guessFromFileBinary() returns null if file path has leading dash');
 
 // ->getMimeType()
 $t->diag('->getMimeType()');