Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prohibit path traversal on upload
 - Thank you Rik Lutz
  • Loading branch information
torinfo committed May 7, 2021
1 parent df5c417 commit 6daeb81
Show file tree
Hide file tree
Showing 5 changed files with 5 additions and 5 deletions.
2 changes: 1 addition & 1 deletion editor/elfinder/php/connector.php
Expand Up @@ -39,7 +39,7 @@
$rootpath = $_REQUEST['uploadDir'];
$rooturl = $_REQUEST['uploadURL'];

if (strpos($rootpath, 'USER-FILES') === false || strpos($rooturl, 'USER-FILES') === false)
if (strpos($rootpath, 'USER-FILES') === false || strpos($rootpath, '../') !== false || strpos($rooturl, 'USER-FILES') === false)
{
die("Invalid upload location");
}
Expand Down
2 changes: 1 addition & 1 deletion editor/uploadImage.php
Expand Up @@ -72,7 +72,7 @@ function sanitizeName($file, &$response)
}

// Check upload path, should contain USER-FILES
if (strpos($_REQUEST['uploadURL'], 'USER-FILES') === false)
if (strpos($_REQUEST['uploadPath'], 'USER-FILES') === false || strpos($_REQUEST['uploadPath'], '../') !== false || strpos($_REQUEST['uploadURL'], 'USER-FILES') === false)
{
// Invalid folder, reject!
$response->uploaded = 0;
Expand Down
2 changes: 1 addition & 1 deletion modules/decision/engine/upload.php
Expand Up @@ -96,7 +96,7 @@
$pass = false;
if (strpos($_FILES['Filedata']['name'], '...') !== false)
$pass = false;
if (strpos($_GET['path'], 'USER-FILES') === false)
if (strpos($_GET['path'], 'USER-FILES') === false || strpos($_GET['path'], '../') !== false)
$pass = false;

if ($pass === false) {
Expand Down
2 changes: 1 addition & 1 deletion modules/site/engine/upload.php
Expand Up @@ -79,7 +79,7 @@
$pass = false;
if (strpos($_FILES['Filedata']['name'], '...') !== false)
$pass = false;
if (strpos($_GET['path'], 'USER-FILES') === false)
if (strpos($_GET['path'], 'USER-FILES') === false || strpos($_GET['path'], '../') !== false)
$pass = false;

if ($pass === false) {
Expand Down
2 changes: 1 addition & 1 deletion website_code/php/import/fileupload.php
Expand Up @@ -55,7 +55,7 @@ function convertToBytes(string $from): ?int {
_debug("Session is invalid or expired");
die("Session is invalid or expired");
}
if (strpos($_POST['mediapath'], 'USER-FILES') === false)
if (strpos($_POST['mediapath'], 'USER-FILES') === false || strpos($_POST['mediapath'], '../') !== false)
{
// Invalid upload path
_debug("Invalid or illegal mediapath");
Expand Down

0 comments on commit 6daeb81

Please sign in to comment.