Lanmikeman/openvk
Lanmikeman/openvk
1
1
Fork 0
mirror of https://github.com/openvk/openvk synced 2024-12-22 16:42:32 +03:00
Code Issues Projects Releases Packages Wiki Activity

[IMPORTANT SECURITY] Fix critical directory traversal vulnerability in file seeding mechanism

Browse source
This commit is contained in:
Jill Stingray 2020-06-14 18:43:23 +03:00
parent 02dd373460
commit cf6cda260d
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Web/Presenters/BlobPresenter.php
View file

@ -17,6 +17,7 @@ final class BlobPresenter extends OpenVKPresenter
function renderFile(/*string*/ $dir, string $name, string $format) function renderFile(/*string*/ $dir, string $name, string $format)
{ {
$dir = $this->getDirName($dir); $dir = $this->getDirName($dir);
$name = preg_replace("%[^a-zA-Z0-9_\-]++%", "", $name);
$path = OPENVK_ROOT . "/storage/$dir/$name.$format"; $path = OPENVK_ROOT . "/storage/$dir/$name.$format";
if(!file_exists($path)) { if(!file_exists($path)) {
$this->notFound(); $this->notFound();