Browse Source

Patched the RCE (#636)

I have patched the file upload directory traversal to Authenticated Remote Code Execution Vulnerability.
pull/639/head
febinrev 3 weeks ago
committed by GitHub
parent
commit
2046bbde72
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 2
      tinyfilemanager.php

2
tinyfilemanager.php

@ -880,7 +880,7 @@ if (!empty($_FILES) && !FM_READONLY) {
$targetPath = $path . $ds;
if ( is_writable($targetPath) ) {
$fullPath = $path . '/' . $_REQUEST['fullpath'];
$fullPath = $path . '/' . str_replace("./","_",$_REQUEST['fullpath']);
$folder = substr($fullPath, 0, strrpos($fullPath, "/"));
if(file_exists ($fullPath) && !$override_file_name) {

Loading…
Cancel
Save