Deploy path traversal fix (#953)

Co-authored-by: root <root@chevaliers.lan>
2024-04-27 03:31:55 +02:00 · 2023-01-25 13:16:20 +07:00 · 2023-01-25 13:16:20 +07:00 · cddd7eaab0
parent dd1ba6795c
commit cddd7eaab0
1 changed files with 9 additions and 0 deletions
--- a/tinyfilemanager.php
+++ b/tinyfilemanager.php
@ -1065,6 +1065,15 @@ if (isset($_POST['group'], $_POST['token']) && (isset($_POST['zip']) || isset($_
    }

    $files = $_POST['file'];
+    $sanitized_files = array();
+
+    // clean path
+    foreach($files as $file){
+        array_push($sanitized_files, fm_clean_path($file));
+    }
+    
+    $files = $sanitized_files;
+    
    if (!empty($files)) {
        chdir($path);