From 5c9f630cce80e65af042261ccc748f0b1da469a1 Mon Sep 17 00:00:00 2001 From: Al Brookbanks Date: Mon, 30 Oct 2023 09:57:53 +0000 Subject: [PATCH] #3410 - Directory traversal (any file download) --- admin/sources/filemanager.index.inc.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/admin/sources/filemanager.index.inc.php b/admin/sources/filemanager.index.inc.php index b4b4828ac..245847769 100755 --- a/admin/sources/filemanager.index.inc.php +++ b/admin/sources/filemanager.index.inc.php @@ -17,7 +17,10 @@ if(isset($_GET['download_file']) && !empty($_GET['download_file'])) { - $file = CC_ROOT_DIR.'/'.base64_decode($_GET['download_file']); + $file = base64_decode($_GET['download_file']); + $file = str_replace(array('..'.DIRECTORY_SEPARATOR,'.'.DIRECTORY_SEPARATOR),'',$file); + $file = ltrim($file, DIRECTORY_SEPARATOR); + $file = CC_ROOT_DIR.'/'.$file; if(file_exists($file)) { // It really should exist deliverFile($file); }