Fixed a potential RCE vulnerability

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 3.x
 
+## Unreleased
+
+- Fixed an RCE vulnerability.
+
 ## 3.8.14 - 2023-06-13
 
 - The `_includes/forms/date` and `_includes/forms/time` templates now accept a `timeZone` variable.

src/helpers/FileHelper.php

@@ -44,6 +44,9 @@ class FileHelper extends \yii\helpers\FileHelper
      */
     public static function normalizePath($path, $ds = DIRECTORY_SEPARATOR)
     {
+        // Remove any file protocol wrappers
+        $path = StringHelper::removeLeft($path, 'file://');
+
         // Is this a UNC network share path?
         $isUnc = (strpos($path, '//') === 0 || strpos($path, '\\\\') === 0);