[M-12] AdminFileController::reject/deleteFile don't basename() stored_name

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/AdminFileController.php:238, 334

Bug: Path traversal defense missing vs a poisoned DB row.

Fix: Wrap stored_name in basename() before joining to uploads directory.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:31pm

Resolved.

Resolved alongside H-2. AdminFileController::reject and AdminFileController::deleteFile now both pass stored_name through basename() before joining to the uploads directory:

$storedPath = BASE_PATH . '/storage/uploads/files/' . basename((string) $file['stored_name']);

See thread #1668 (H-2) for context. Real-world stored_name values are UUIDs, but the guard is zero-cost and protects against any future injection or backup-restore poisoning.

Locking this thread.

Related Discussions

[H-17] 2FA enable/disable don't rotate the session
Security Issues · 0 replies · 1 views
[H-11] Moderation actions don't block self-targeting
Security Issues · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy