From e8dbc4da58ae86618bceb67ed35ce23e5e54d2ed Mon Sep 17 00:00:00 2001
From: Christian F <christian.feldkirchner@pimcore.com>
Date: Wed, 3 May 2023 13:47:19 +0200
Subject: [PATCH] [Security] Improved sanatizing of `pimcore_log` parameter
 (#15084)

* added some more chars to remove

* Update Pimcore.php
---
 lib/Pimcore.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/Pimcore.php b/lib/Pimcore.php
index 6b31a88cae9..393118ac006 100644
--- a/lib/Pimcore.php
+++ b/lib/Pimcore.php
@@ -306,8 +306,7 @@ public static function initLogger()
         if (array_key_exists('pimcore_log', $_REQUEST) && self::inDebugMode()) {
             $requestLogName = date('Y-m-d_H-i-s');
             if (!empty($_REQUEST['pimcore_log'])) {
-                // slashed are not allowed, replace them with hyphens
-                $requestLogName = str_replace('/', '-', $_REQUEST['pimcore_log']);
+                $requestLogName = str_replace(['/', '\\', '..'], '-', $_REQUEST['pimcore_log']);
             }
 
             $requestLogFile = resolvePath(PIMCORE_LOG_DIRECTORY . '/request-' . $requestLogName . '.log');