Mirrors/grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2025-02-20 19:56:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixed path traversal by santize checking fiilename

Browse Source
This commit is contained in:
Andy Miller 2024-03-04 13:39:50 -07:00
parent 15dc7568a5
commit 5928411b86
No known key found for this signature in database
GPG Key ID: 9F2CF38AEBDB0AE0
2 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -6,6 +6,7 @@
1. [](#bugfix)
* Fixed some multibyte issues in Inflector class [#732](https://github.com/getgrav/grav/issues/732)
* Fallback to page modified date if Page date provided is invalid and can't be parsed [getgrav/grav-plugin-admin#2394](https://github.com/getgrav/grav-plugin-admin/issues/2394)
* Fixed a path traversal vulnerability with file uploads [GHSA-m7hx-hw6h-mqmc](https://github.com/getgrav/grav/security/advisories/GHSA-m7hx-hw6h-mqmc)
# v1.7.44
## 01/05/2024

2
system/src/Grav/Common/Utils.php
View File

@ -989,6 +989,8 @@ abstract class Utils
|| strtr($filename, "\t\v\n\r\0\\/", '_______') !== $filename
// Filename should not start or end with dot or space.
|| trim($filename, '. ') !== $filename
// Filename should not contain path traversal
|| str_replace('..', '', $filename) !== $filename
// File extension should not be part of configured dangerous extensions
|| in_array($extension, $dangerous_extensions)
);