Skip to content
Permalink
Browse files Browse the repository at this point in the history
[security:CVE-2022-26960] fix a path traversal issue
Fixed a paste traversal vulnerability. The problem was getting out of
the configured directory and allowing the hosting server's file system
to read and write "arbitrary" files.

Special thanks to Gaetan Ferry (Synacktiv) for reporting this issue.
  • Loading branch information
nao-pon committed Mar 14, 2022
1 parent 93da305 commit 3b75849
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 3 deletions.
17 changes: 14 additions & 3 deletions php/elFinderVolumeDriver.class.php
Expand Up @@ -6794,14 +6794,22 @@ protected function getFullPath($path, $base)
$base = rtrim($base, $separator);
}

// 'Here'
if ($path === '' || $path === '.' . $separator) return $base;

$sepquoted = preg_quote($separator, '#');

// normalize `//` to `/`
$path = preg_replace('#' . $sepquoted . '+#', $separator, $path); // '#/+#'

// remove `./`
$path = preg_replace('#(?<=^|' . $sepquoted . ')\.' . $sepquoted . '#', '', $path); // '#(?<=^|/)\./#'

// 'Here'
if ($path === '') return $base;

// join $base to $path if $path start `../`
if (substr($path, 0, 3) === '..' . $separator) {
$path = $base . $separator . $path;
}

// normalize `/../`
$normreg = '#(' . $sepquoted . ')[^' . $sepquoted . ']+' . $sepquoted . '\.\.' . $sepquoted . '#'; // '#(/)[^\/]+/\.\./#'
while (preg_match($normreg, $path)) {
Expand All @@ -6811,6 +6819,9 @@ protected function getFullPath($path, $base)
$path = rtrim($path, $separator);
}

// discard the surplus `../`
$path = str_replace('..' . $separator, '', $path);

// Absolute path
if ($path[0] === $separator || strpos($path, $systemroot) === 0) {
return $path;
Expand Down
1 change: 1 addition & 0 deletions php/elFinderVolumeLocalFileSystem.class.php
Expand Up @@ -485,6 +485,7 @@ protected function _abspath($path)
if ($path === DIRECTORY_SEPARATOR) {
return $this->root;
} else {
$path = $this->_normpath($path);
if (strpos($path, $this->systemRoot) === 0) {
return $path;
} else if (DIRECTORY_SEPARATOR !== '/' && preg_match('/^[a-zA-Z]:' . preg_quote(DIRECTORY_SEPARATOR, '/') . '/', $path)) {
Expand Down

0 comments on commit 3b75849

Please sign in to comment.