Headline
CVE-2023-35840: [VD:LocalFileSystem] Security fixes, directory traversal vulnerability · Studio-42/elFinder@bb9aaa7
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
Expand Up
@@ -373,9 +373,13 @@ protected function _joinPath($dir, $name)
// realpath() returns FALSE if the file does not exist
if ($path === false || strpos($path, $this->root) !== 0) {
if (DIRECTORY_SEPARATOR !== ‘/’) {
$dir = str_replace('/’, DIRECTORY_SEPARATOR, $dir);
$name = str_replace('/’, DIRECTORY_SEPARATOR, $name);
}
// Directory traversal measures
if (strpos($dir, ‘…’ . DIRECTORY_SEPARATOR) !== false || substr($dir, -2) == ‘…’) {
$dir = $this->root;
}
if (strpos($name, ‘…’ . DIRECTORY_SEPARATOR) !== false) {
$name = basename($name);
}
Expand Down