Added protections against path traversal in file system operations

- Files within the storage/ path could be accessed via path traversal references in content, accessed upon HTML export. - This addresses this via two layers: - Scoped local flysystem filesystems down to the specific image & file folders since flysystem has built-in checking against the escaping of the root folder. - Added path normalization before enforcement of uploads/{images,file} prefix to prevent traversal at a path level. Thanks to @Haxatron via huntr.dev for discovery and reporting. Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
2026-01-03 23:42:28 +03:00 · 2021-10-08 17:47:14 +01:00
parent 81d6b1b016
commit 7224fbcc89
3 changed files with 92 additions and 54 deletions
--- a/app/Config/filesystems.php
+++ b/app/Config/filesystems.php
@@ -37,9 +37,14 @@ return [
            'root'   => public_path(),
        ],

-        'local_secure' => [
+        'local_secure_attachments' => [
            'driver' => 'local',
-            'root'   => storage_path(),
+            'root'   => storage_path('uploads/files/'),
+        ],
+
+        'local_secure_images' => [
+            'driver' => 'local',
+            'root'   => storage_path('uploads/images/'),
        ],

        's3' => [