Skip to content

Commit

Permalink
fixed path traversal by santize checking fiilename
Browse files Browse the repository at this point in the history
  • Loading branch information
rhukster committed Mar 4, 2024
1 parent 15dc756 commit 5928411
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
1. [](#bugfix)
* Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732)
* Fallback to page modified date if Page date provided is invalid and can't be parsed [getgrav/grav-plugin-admin#2394](https://github.com/getgrav/grav-plugin-admin/issues/2394)
* Fixed a path traversal vulnerability with file uploads [GHSA-m7hx-hw6h-mqmc](https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc)

# v1.7.44
## 01/05/2024
Expand Down
2 changes: 2 additions & 0 deletions system/src/Grav/Common/Utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -989,6 +989,8 @@ public static function checkFilename($filename): bool
|| strtr($filename, "\t\v\n\r\0\\/", '_______') !== $filename
// Filename should not start or end with dot or space.
|| trim($filename, '. ') !== $filename
// Filename should not contain path traversal
|| str_replace('..', '', $filename) !== $filename
// File extension should not be part of configured dangerous extensions
|| in_array($extension, $dangerous_extensions)
);
Expand Down

0 comments on commit 5928411

Please sign in to comment.