From 5928411b86bab05afca2b33db4e7386a44858e99 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 4 Mar 2024 13:39:50 -0700 Subject: [PATCH] fixed path traversal by santize checking fiilename --- CHANGELOG.md | 1 + system/src/Grav/Common/Utils.php | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba936e2841..16ac059060 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ 1. [](#bugfix) * Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732) * Fallback to page modified date if Page date provided is invalid and can't be parsed [getgrav/grav-plugin-admin#2394](https://github.com/getgrav/grav-plugin-admin/issues/2394) + * Fixed a path traversal vulnerability with file uploads [GHSA-m7hx-hw6h-mqmc](https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc) # v1.7.44 ## 01/05/2024 diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php index bc56f81a94..a518ec1990 100644 --- a/system/src/Grav/Common/Utils.php +++ b/system/src/Grav/Common/Utils.php @@ -989,6 +989,8 @@ public static function checkFilename($filename): bool || strtr($filename, "\t\v\n\r\0\\/", '_______') !== $filename // Filename should not start or end with dot or space. || trim($filename, '. ') !== $filename + // Filename should not contain path traversal + || str_replace('..', '', $filename) !== $filename // File extension should not be part of configured dangerous extensions || in_array($extension, $dangerous_extensions) );