Merge pull request symfony-cli#282 from tucksaun/fix-directory-traversal

Prevent directory traversal
tucksaun · Feb 24, 2023 · d50c07a · d50c07a
2 parents 2c8b629 + 3a8d989
commit d50c07a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/local/php/envs.go b/local/php/envs.go
@@ -38,7 +38,7 @@ func (p *Server) generateEnv(req *http.Request) map[string]string {
 
 	pathInfo := req.URL.Path
 	if pos := strings.Index(strings.ToLower(pathInfo), ".php"); pos != -1 {
-		file := pathInfo[:pos+4]
+		file := filepath.Clean(pathInfo[:pos+4])
 		if _, err := os.Stat(filepath.Join(p.documentRoot, file)); err == nil {
 			scriptName = file
 			pathInfo = pathInfo[pos+4:]