-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugin **extremely unsafe** - allows anyone to create a file anywhere in the filesystem #86
Comments
I didn't write this one so can't speak to the code quality, but that does appear to be very unsafe as you say. I think this plugin has a variety of issues and could do with a thorough re-write. I will probably look at this one issue immediately though. |
I added a pull request to grav-plugin-form with my workaround. Basically, it allows to set values of fields before the form is processed. I'm new here, I guess there is a better way to expose this functionality, let me know |
Any update on this? This sounds important to me. |
There's really no reason to use this form-based path field to store the data. the current page is enough, and that's already whitelisted via the configuration. I have a fix for this that will be released shortly. |
Fixed |
The field "path" is directly passed to the code that saves the comment file. Anyone can easily overwrite it, say using "Inspect" in Chrome, and save the file anywhere they want.
just change value="/blog/post" to something like value="/../../../../".
I think form plugin does not offer an easy way around these kind of problems and I suspect many plugins will turn out to have a similar issue.
The text was updated successfully, but these errors were encountered: