mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-28 20:50:06 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove .. from attachments pathes, to prevent leaking of internal files.

Browse source
This commit is contained in:
Jan Böhmer 2019-09-25 16:49:44 +02:00
parent 2001680542
commit ac238c65a0
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/Services/AttachmentHelper.php
View file

@ -120,8 +120,8 @@ class AttachmentHelper
//Older path entries are given via %BASE% which was the project root
$placeholder_path = str_replace($placeholders, $targets, $placeholder_path);
//Normalize path
$placeholder_path = str_replace('\\', '/', $placeholder_path);
//Normalize path and remove ..
$placeholder_path = str_replace(['\\','..'], ['/',''], $placeholder_path);
return $placeholder_path;
}