From cf6cda260da2b16bef0f835e12adc1668dc1ce71 Mon Sep 17 00:00:00 2001
From: Jill Stingray <stingray@jill.pl>
Date: Sun, 14 Jun 2020 18:43:23 +0300
Subject: [PATCH] [IMPORTANT SECURITY] Fix critical directory traversal
 vulnerability in file seeding mechanism

---
 Web/Presenters/BlobPresenter.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Web/Presenters/BlobPresenter.php b/Web/Presenters/BlobPresenter.php
index 99e6d87b..117eebca 100644
--- a/Web/Presenters/BlobPresenter.php
+++ b/Web/Presenters/BlobPresenter.php
@@ -17,6 +17,7 @@ final class BlobPresenter extends OpenVKPresenter
     function renderFile(/*string*/ $dir, string $name, string $format)
     {
         $dir  = $this->getDirName($dir);
+        $name = preg_replace("%[^a-zA-Z0-9_\-]++%", "", $name);
         $path = OPENVK_ROOT . "/storage/$dir/$name.$format";
         if(!file_exists($path)) {
             $this->notFound();