From dd75c9ddababe99b8a46135a820cb393a92f5b26 Mon Sep 17 00:00:00 2001
From: mcdruid <drew@mcdruid.co.uk>
Date: Tue, 3 Dec 2024 17:53:41 +0000
Subject: [PATCH] Avoid Arbitrary File Deletion abuse via Object Injection

---
 system/src/Grav/Framework/Cache/Adapter/FileCache.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/system/src/Grav/Framework/Cache/Adapter/FileCache.php b/system/src/Grav/Framework/Cache/Adapter/FileCache.php
index d2058d5f7..a707a708f 100644
--- a/system/src/Grav/Framework/Cache/Adapter/FileCache.php
+++ b/system/src/Grav/Framework/Cache/Adapter/FileCache.php
@@ -201,7 +201,7 @@ class FileCache extends AbstractCache
 
         try {
             if ($this->tmp === null) {
-                $this->tmp = $this->directory . uniqid('', true);
+                $this->tmp = $this->directory . uniqid(__CLASS__, true);
             }
 
             file_put_contents($this->tmp, $data);
@@ -259,7 +259,7 @@ class FileCache extends AbstractCache
     #[\ReturnTypeWillChange]
     public function __destruct()
     {
-        if ($this->tmp !== null && file_exists($this->tmp)) {
+        if ($this->tmp !== null && (strpos(basename($this->tmp), __CLASS__) === 0) && file_exists($this->tmp)) {
             unlink($this->tmp);
         }
     }