1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-30 15:42:41 +01:00
BookStack/app
Dan Brown 7224fbcc89
Added protections against path traversal in file system operations
- Files within the storage/ path could be accessed via path traversal
  references in content, accessed upon HTML export.
- This addresses this via two layers:
  - Scoped local flysystem filesystems down to the specific image &
    file folders since flysystem has built-in checking against the
    escaping of the root folder.
  - Added path normalization before enforcement of uploads/{images,file}
    prefix to prevent traversal at a path level.

Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
2021-10-08 17:47:14 +01:00
..
Actions Applied StyleCI changes 2021-09-29 23:53:11 +01:00
Api Updated API auth handling of email confirmations 2021-08-05 22:07:08 +01:00
Auth Applied StyleCI changes 2021-09-29 23:53:11 +01:00
Config Added protections against path traversal in file system operations 2021-10-08 17:47:14 +01:00
Console Applied styleci changes 2021-09-26 15:48:22 +01:00
Entities Fixed search query issues when table prefixes are used 2021-10-08 15:25:12 +01:00
Exceptions Converted AuthTest away from BrowserKit 2021-09-17 23:44:54 +01:00
Facades Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
Http Forced response cache revalidation on logged-in responses 2021-10-08 15:22:09 +01:00
Interfaces Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
Notifications Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
Providers Applied styleci changes 2021-09-26 15:48:22 +01:00
Settings Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
Theming Applied latest styleci changes 2021-09-06 22:19:06 +01:00
Traits Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
Translation Apply fixes from StyleCI 2021-08-21 14:49:40 +00:00
Uploads Added protections against path traversal in file system operations 2021-10-08 17:47:14 +01:00
Util Altered the parsing of custom head to prevent htmlentities on content 2021-09-12 16:19:17 +01:00
Application.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
helpers.php Merge branch 'v21.05.x' 2021-07-03 12:02:13 +01:00
Model.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00