Security Fix #728
Merged
Security Fix #728
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Great, thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The fix in the commit 8f5a3a3 is insufficient to prevent path traversal, as the attacker can still use payloads such as
content/../index.phpto bypass the check.This PR uses
realpathto resolve all path traversing operations to give the final path.For example
/var/html/content/../index.phpbecomes/var/html/index.phpIt then creates a variable
contentDirwhich is the fully qualified path for the content foldere.g.
/var/html/content/When a user deletes a file, it checks if the absolute path of the file starts with
contentDir(/var/html/content/). If it does not, it means that the file does not exist in/var/html/content/, and the operation is denied.