Patched the RCE (#636)

I have patched the file upload directory traversal to Authenticated Remote Code Execution Vulnerability.
This commit is contained in:
febinrev 2021-11-12 08:31:02 +05:30 committed by GitHub
parent c1718ff4c5
commit 2046bbde72
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions

View File

@ -880,7 +880,7 @@ if (!empty($_FILES) && !FM_READONLY) {
$targetPath = $path . $ds;
if ( is_writable($targetPath) ) {
$fullPath = $path . '/' . $_REQUEST['fullpath'];
$fullPath = $path . '/' . str_replace("./","_",$_REQUEST['fullpath']);
$folder = substr($fullPath, 0, strrpos($fullPath, "/"));
if(file_exists ($fullPath) && !$override_file_name) {