daemon/script: Make absolutely sure to prevent traversal attacks

nilmerg · nilmerg · commit fb306e990a7e · 2024-06-12T15:48:45.000+02:00
diff --git a/application/controllers/DaemonController.php b/application/controllers/DaemonController.php
@@ -60,7 +60,7 @@ public function scriptAction(): void
                 ->getBaseDir() . '/public/js';
 
         $filePath = realpath($root . DIRECTORY_SEPARATOR . 'notifications-' . $fileName . $extension);
-        if ($filePath === false) {
+        if ($filePath === false || substr($filePath, 0, strlen($root)) !== $root) {
             if ($fileName === 'undefined') {
                 $this->httpNotFound(t("No file name submitted"));
             }

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ public function scriptAction(): void`
`60`	`60`	`->getBaseDir() . '/public/js';`
`61`	`61`
`62`	`62`	`$filePath = realpath($root . DIRECTORY_SEPARATOR . 'notifications-' . $fileName . $extension);`
`63`		`- if ($filePath === false) {`
	`63`	`+ if ($filePath === false \|\| substr($filePath, 0, strlen($root)) !== $root) {`
`64`	`64`	`if ($fileName === 'undefined') {`
`65`	`65`	`$this->httpNotFound(t("No file name submitted"));`
`66`	`66`	`}`