1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-11-24 20:02:35 +01:00
BookStack/app/Config
Dan Brown 7224fbcc89
Added protections against path traversal in file system operations
- Files within the storage/ path could be accessed via path traversal
  references in content, accessed upon HTML export.
- This addresses this via two layers:
  - Scoped local flysystem filesystems down to the specific image &
    file folders since flysystem has built-in checking against the
    escaping of the root folder.
  - Added path normalization before enforcement of uploads/{images,file}
    prefix to prevent traversal at a path level.

Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
2021-10-08 17:47:14 +01:00
..
api.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
app.php Applied stylci changes 2021-08-31 22:03:51 +01:00
auth.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
broadcasting.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
cache.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
database.php Reviewed addition to db table prefix 2021-09-29 18:41:11 +01:00
debugbar.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
dompdf.php Added untrusted server fetching control 2021-08-31 20:22:42 +01:00
filesystems.php Added protections against path traversal in file system operations 2021-10-08 17:47:14 +01:00
hashing.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
logging.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
mail.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
queue.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
saml2.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
services.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
session.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
setting-defaults.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
snappy.php Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
view.php Moved config dir into app dir 2019-07-06 13:44:50 +01:00