[Security] Improved sanatizing of pimcore_log parameter (#15084)

* added some more chars to remove * Update Pimcore.php
pimcore · May 3, 2023 · e8dbc4d · e8dbc4d
1 parent a5b86f3
commit e8dbc4d
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/lib/Pimcore.php b/lib/Pimcore.php
@@ -306,8 +306,7 @@ public static function initLogger()
         if (array_key_exists('pimcore_log', $_REQUEST) && self::inDebugMode()) {
             $requestLogName = date('Y-m-d_H-i-s');
             if (!empty($_REQUEST['pimcore_log'])) {
-                // slashed are not allowed, replace them with hyphens
-                $requestLogName = str_replace('/', '-', $_REQUEST['pimcore_log']);
+                $requestLogName = str_replace(['/', '\\', '..'], '-', $_REQUEST['pimcore_log']);
             }
 
             $requestLogFile = resolvePath(PIMCORE_LOG_DIRECTORY . '/request-' . $requestLogName . '.log');