mirrors
/
flight-core
mirror of https://github.com/flightphp/core
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Re-add writable directory check for target path

Browse Source
pull/701/head
fadrian06 3 days ago committed by GitHub
parent 49b750c329
commit fdb1804862
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File

9
flight/net/UploadedFile.php
Unescape View File

@ -131,14 +131,15 @@ class UploadedFile
throw new Exception($this->getUploadErrorMessage($this->error)); throw new Exception($this->getUploadErrorMessage($this->error));
} }
if (is_writeable(dirname($targetPath)) === false) {
throw new Exception('Target directory is not writable');
}
// Prevent path traversal attacks // Prevent path traversal attacks
if (strpos($targetPath, '..') !== false) { if (strpos($targetPath, '..') !== false) {
throw new Exception('Invalid target path: contains directory traversal'); throw new Exception('Invalid target path: contains directory traversal');
} }
if (is_writeable(dirname($targetPath)) === false) {
throw new Exception('Target directory is not writable');
}
// Prevent absolute paths (basic check for Unix/Windows) // Prevent absolute paths (basic check for Unix/Windows)
if ($targetPath[0] === '/' || (strlen($targetPath) > 1 && $targetPath[1] === ':')) { if ($targetPath[0] === '/' || (strlen($targetPath) > 1 && $targetPath[1] === ':')) {
throw new Exception('Invalid target path: absolute paths not allowed'); throw new Exception('Invalid target path: absolute paths not allowed');

Write Preview
Loading…
Cancel
Save