Impact

The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.

The conditions:

• A user is allowed to supply the path or filename of an uploaded file.
• The supplied path or filename is not checked against unicode chars.
• The supplied pathname checked against an extension deny-list, not an allow-list.
• The supplied path or filename contains a unicode whitespace char in the extension.
• The uploaded file is stored in a directory that allows PHP code to be executed.

Given these conditions are met a user can upload and execute arbitrary code on the system under attack.

Patches

The unicode whitespace removal has been replaced with a rejection (exception).

The library has been patched in:

• 1.x: thephpleague/flysystem@f3ad691
• 2.x: thephpleague/flysystem@a3c694d

Workarounds

For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.

References

• GHSA-9f46-5r25-5wfm
• https://nvd.nist.gov/vuln/detail/CVE-2021-32708
• thephpleague/flysystem@a3c694d
• thephpleague/flysystem@f3ad691
• https://packagist.org/packages/league/flysystem
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ/
• https://github.com/FriendsOfPHP/security-advisories/blob/master/league/flysystem/CVE-2021-32708.yaml