Headline
CVE-2022-26960: [security:CVE-2022-26960] fix a path traversal issue · Studio-42/elFinder@3b75849
connector.minimal.php in std42 elFinder through 2.1.60 is affected by path traversal. This allows unauthenticated remote attackers to read, write, and browse files outside the configured document root. This is due to improper handling of absolute file paths.
@@ -6794,14 +6794,22 @@ protected function getFullPath($path, $base)
$base = rtrim($base, $separator);
}
// ‘Here’
if ($path === ‘’ || $path === ‘.’ . $separator) return $base;
$sepquoted = preg_quote($separator, ‘#’);
// normalize `//` to `/`
$path = preg_replace(‘#’ . $sepquoted . '+#’, $separator, $path); // ‘#/+#’
// remove `./`
$path = preg_replace(‘#(?<=^|’ . $sepquoted . ')\.’ . $sepquoted . '#’, '’, $path); // ‘#(?<=^|/)\./#’
// ‘Here’
if ($path === ‘’) return $base;
// join $base to $path if $path start `…/`
if (substr($path, 0, 3) === ‘…’ . $separator) {
$path = $base . $separator . $path;
}
// normalize `/…/`
$normreg = ‘#(' . $sepquoted . ')[^’ . $sepquoted . ']+’ . $sepquoted . ‘\.\.’ . $sepquoted . '#’; // ‘#(/)[^\/]+/\.\./#’
while (preg_match($normreg, $path)) {
@@ -6811,6 +6819,9 @@ protected function getFullPath($path, $base)
$path = rtrim($path, $separator);
}
// discard the surplus `…/`
$path = str_replace(‘…’ . $separator, '’, $path);
// Absolute path
if ($path[0] === $separator || strpos($path, $systemroot) === 0) {
return $path;