Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The fix in the commit 8f5a3a3 is insufficient to prevent path traversal, as the attacker can still use payloads such as
content/../index.php
to bypass the check.This PR uses
realpath
to resolve all path traversing operations to give the final path.For example
/var/html/content/../index.php
becomes/var/html/index.php
It then creates a variable
contentDir
which is the fully qualified path for the content foldere.g.
/var/html/content/
When a user deletes a file, it checks if the absolute path of the file starts with
contentDir
(/var/html/content/
). If it does not, it means that the file does not exist in/var/html/content/
, and the operation is denied.