fix: avoid possible path traversal

thorsten · Mar 17, 2024 · 75fbeb0 · 75fbeb0
1 parent 9136883
commit 75fbeb0
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/phpmyfaq/admin/configuration.php b/phpmyfaq/admin/configuration.php
@@ -58,6 +58,13 @@
         if (isset($editData['edit']['main.currentVersion'])) {
             unset($editData['edit']['main.currentVersion']); // don't update the version number
         }
+        if (isset($editData['edit']['records.attachmentsPath'])) {
+            $editData['edit']['records.attachmentsPath'] = str_replace(
+                '../',
+                '',
+                $editData['edit']['records.attachmentsPath']
+            );
+        }
 
         if (
             isset($editData['edit']['main.referenceURL']) &&