Prevent path traversal in $modx->runProcessor #13176

Merged
merged 1 commit into from Nov 14, 2016

Projects

None yet

2 participants

@Mark-H
Collaborator
Mark-H commented Nov 14, 2016

What does it do?

Strips out actions with ../ or ..././ that attempt to go outside the defined processors path.

Why is it needed?

Similar to the patch in #13173, however specifically for processors executed via $modx->runProcessor. It's a lot harder to execute a successful path traversal through $modx->runProcessor as it's typically only used server-side without accepting user input, but can't hurt to fix.

Related issue(s)/PR(s)

#13173

@Mark-H Mark-H Prevent path traversal in $modx->runProcessor
Similar to the patch in #13173, however specifically for processors executed via $modx->runProcessor. It's a lot harder to execute a successful path traversal through $modx->runProcessor as it's typically only used server-side without accepting user input. But, here you go.
6040f64
@Mark-H Mark-H added this to the v2.5.2 milestone Nov 14, 2016
@opengeek opengeek was assigned by Mark-H Nov 14, 2016
@opengeek opengeek merged commit 6040f64 into modxcms:2.5.x Nov 14, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@opengeek opengeek added a commit that referenced this pull request Nov 14, 2016
@opengeek opengeek [SECURITY] Prevent path traversal in $modx->runProcessor [#13176]
Merge remote-tracking branch 'origin/pr/13176' into 2.5.x

* origin/pr/13176:
  Prevent path traversal in $modx->runProcessor
3a9dfc8
@Mark-H Mark-H deleted the Mark-H:vuln-35-runproc branch Nov 14, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment