Using just pathinfo to validate that a file name and not a relative path \was sent

workflow/engine/controllers/pmTables.php

@@ -153,7 +153,7 @@ class pmTables extends Controller
 
         $realPath = $PUBLIC_ROOT_PATH . $sFileName;
 
-        if ($this->isValidFileToBeStreamed($realPath, $PUBLIC_ROOT_PATH) === false) {
+        if ($this->isValidFileToBeStreamed($sFileName) === false) {
             throw new Exception("You are trying to access an unauthorized resource.");
         }
 
@@ -213,25 +213,22 @@ class pmTables extends Controller
     }
 
     /**
-     * Validates if the file with the path $filePath is a valid one,
+     * Validates if the file with the $fileName is a valid one,
-     * that is, it must be a file within the temporal directory where the
+     * that is, it must be a file without relative references that
-     * exported pmt files are created and must have one of the valid file
+     * can open a door to get some unauthorized system file and
-     * extensions.
+     * must have one of the valid file extensions.
      *
-     * @param $filePath, full path to the temporal file that will be streamed
+     * @param $fileName, emporal file name that will be streamed
-     * @param $tempDir, directory's path where the temporal files are created.
      * @return bool
      */
-    private function isValidFileToBeStreamed($filePath, $tempDir)
+    private function isValidFileToBeStreamed($fileName)
     {
         $result = true;
         $validExtensionsForExporting = ['csv', 'pmt'];
-        $fileRealPath = realpath($filePath);
-        $tempDirRealPath = realpath($tempDir);
 
-        $pathInfo = pathinfo($fileRealPath);
+        $pathInfo = pathinfo($fileName);
 
-        if ($pathInfo ['dirname'] !== $tempDirRealPath) {
+        if ($pathInfo ['dirname'] !== '.') {
             $result =  false;
         }