Closed
Description
Hello,
I would like to report for path manipulation vulnerability.
The path of the vulnerability.
line 319
private function getShowId()
{
if (!($id = $this->_getParam('id', false))) {
//...
}
return $id;
}line 52
public function postAction()
{
$showId = $this->getShowId();
//...
try {
$path = $this->processUploadedImage($showId, $_FILES['file']['tmp_name']);
} catch (Exception $e) {
// ...
}
}line 163
private function processUploadedImage($showId, $tempFilePath)
{
//...
$importedStorageDirectory = $storDir->getDirectory() . 'imported/' . $ownerId . '/show-images/' . $showId;
try {
$importedStorageDirectory = $this->copyFileToStor($tempFilePath, $importedStorageDirectory, $fileExtension);
} catch (Exception $e) {
// ...
}
}In file https://github.com/LibreTime/libretime/blob/master/legacy/application/common/OsPath.php
line 56
public static function join()
{
$args = func_get_args();
$paths = [];
foreach ($args as $arg) {
$paths = array_merge($paths, (array) $arg);
}
foreach ($paths as &$path) {
$path = trim($path, DIRECTORY_SEPARATOR);
}
if (substr($args[0], 0, 1) == DIRECTORY_SEPARATOR) {
$paths[0] = DIRECTORY_SEPARATOR . $paths[0];
}
return implode(DIRECTORY_SEPARATOR, $paths);
}line 256
$image_stor = Application_Common_OsPath::join($importedStorageDirectory, $newFileName);line 260
// path manipulation in rename function
if (@rename($image_file, $image_stor) === false) {
//...
}Metadata
Metadata
Assignees
Labels
No labels