Skip to content
Permalink
Browse files Browse the repository at this point in the history
[php:security] fix directory traversal vulnerability
Fixed vulnerability that can delete arbitrary files with zipdl command.

Fixed it because there was a possibility that files that can be deleted
may be deleted by the execution account of the web server.

Reviewed-by: Ravindra Rajaram <ravindra.rajaram@ca.com> and Kevin Kotas <kevin.kotas@ca.com>
  • Loading branch information
nao-pon committed Mar 28, 2018
1 parent 82b098f commit 157f471
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion php/elFinder.class.php
Expand Up @@ -1623,10 +1623,14 @@ protected function zipdl($args) {
return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}
$file = $targets[1];
// checking the validity of the file parameter
if (strpos($file, DIRECTORY_SEPARATOR) !== false) {
return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}
$path = $volume->getTempPath().DIRECTORY_SEPARATOR.$file;
// register auto delete on shutdown
$GLOBALS['elFinderTempFiles'][$path] = true;
if (!is_readable($path)) {
if (!is_writable($path)) {
return array('error' => 'File not found', 'header' => $h404, 'raw' => true);
}
$name = $targets[2];
Expand Down

0 comments on commit 157f471

Please sign in to comment.