Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-x8wj-6m73-gfqp
  • Loading branch information
bytehead committed Feb 4, 2020
1 parent ddc0c39 commit a601144
Show file tree
Hide file tree
Showing 6 changed files with 24 additions and 6 deletions.
4 changes: 2 additions & 2 deletions Controller/DropzoneController.php
Expand Up @@ -42,8 +42,8 @@ public function upload()
protected function parseChunkedRequest(Request $request)
{
$totalChunkCount = $request->get('dztotalchunkcount');
$index = $request->get('dzchunkindex');
$last = ((int) $index + 1) === (int) $totalChunkCount;
$index = (int) $request->get('dzchunkindex');
$last = ($index + 1) === (int) $totalChunkCount;
$uuid = $request->get('dzuuid');

/**
Expand Down
6 changes: 3 additions & 3 deletions Controller/FineUploaderController.php
Expand Up @@ -40,11 +40,11 @@ public function upload()

protected function parseChunkedRequest(Request $request)
{
$index = $request->get('qqpartindex');
$total = $request->get('qqtotalparts');
$index = (int) $request->get('qqpartindex');
$total = (int) $request->get('qqtotalparts');
$uuid = $request->get('qquuid');
$orig = $request->get('qqfilename');
$last = ((int) $total - 1) === (int) $index;
$last = ($total - 1) === $index;

return [$last, $uuid, $index, $orig];
}
Expand Down
2 changes: 1 addition & 1 deletion Controller/PluploadController.php
Expand Up @@ -35,7 +35,7 @@ protected function parseChunkedRequest(Request $request)
$session = $this->container->get('session');

$orig = $request->get('name');
$index = $request->get('chunk');
$index = (int) $request->get('chunk');
$last = (int) $request->get('chunks') - 1 === (int) $request->get('chunk');

// it is possible, that two clients send a file with the
Expand Down
6 changes: 6 additions & 0 deletions Uploader/Chunk/Storage/FilesystemStorage.php
Expand Up @@ -38,6 +38,9 @@ public function clear($maxAge)

public function addChunk($uuid, $index, UploadedFile $chunk, $original)
{
// Prevent path traversal attacks
$uuid = basename($uuid);

$filesystem = new Filesystem();
$path = sprintf('%s/%s', $this->directory, $uuid);
$name = sprintf('%s_%s', $index, $original);
Expand Down Expand Up @@ -106,6 +109,9 @@ public function cleanup($path)

public function getChunks($uuid)
{
// Prevent path traversal attacks
$uuid = basename($uuid);

$finder = new Finder();
$finder
->in(sprintf('%s/%s', $this->directory, $uuid))->files()->sort(function (\SplFileInfo $a, \SplFileInfo $b) {
Expand Down
6 changes: 6 additions & 0 deletions Uploader/Chunk/Storage/FlysystemStorage.php
Expand Up @@ -65,6 +65,9 @@ public function clear($maxAge, $prefix = null)

public function addChunk($uuid, $index, UploadedFile $chunk, $original)
{
// Prevent path traversal attacks
$uuid = basename($uuid);

$this->unhandledChunk = [
'uuid' => $uuid,
'index' => $index,
Expand Down Expand Up @@ -136,6 +139,9 @@ public function cleanup($path)

public function getChunks($uuid)
{
// Prevent path traversal attacks
$uuid = basename($uuid);

return $this->filesystem->listFiles($this->prefix.'/'.$uuid);
}

Expand Down
6 changes: 6 additions & 0 deletions Uploader/Chunk/Storage/GaufretteStorage.php
Expand Up @@ -98,6 +98,9 @@ public function clear($maxAge, $prefix = null)
*/
public function addChunk($uuid, $index, UploadedFile $chunk, $original)
{
// Prevent path traversal attacks
$uuid = basename($uuid);

$this->unhandledChunk = [
'uuid' => $uuid,
'index' => $index,
Expand Down Expand Up @@ -170,6 +173,9 @@ public function cleanup($path)

public function getChunks($uuid)
{
// Prevent path traversal attacks
$uuid = basename($uuid);

$results = $this->filesystem->listKeys($this->prefix.'/'.$uuid);

/* exclude files without an index, so if there is a completed file which
Expand Down

0 comments on commit a601144

Please sign in to comment.