Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix security issue for deleting arbitrary files
  • Loading branch information
hamidsamak committed Oct 8, 2021
1 parent 15d7f58 commit bb95677
Showing 1 changed file with 21 additions and 2 deletions.
23 changes: 21 additions & 2 deletions pheditor.php
Expand Up @@ -192,7 +192,7 @@

$dir = realpath(rtrim(MAIN_DIR . DS . trim($_GET['path'], '/'), '/'));

if (file_exists($dir) === false || is_dir($dir) === false || strpos($dir, MAIN_DIR) !== 0) {
if ($dir === false || check_path($dir) !== true) {
die('[]');
}

Expand Down Expand Up @@ -380,7 +380,7 @@
break;

case 'delete':
if (isset($_POST['path']) && file_exists(MAIN_DIR . $_POST['path'])) {
if (isset($_POST['path']) && file_exists(MAIN_DIR . $_POST['path']) && check_path(MAIN_DIR . $_POST['path'])) {
$path = MAIN_DIR . $_POST['path'];

if ($_POST['path'] == '/') {
Expand All @@ -400,6 +400,10 @@
echo json_success('Directory deleted successfully');
}
} else {
if (empty(PATTERN_FILES) === false && !preg_match(PATTERN_FILES, basename($_POST['path']))) {
die(json_error('Invalid file patterna'));
}

file_to_history($path);

if (is_writable($path)) {
Expand Down Expand Up @@ -618,6 +622,21 @@ function json_success($message, $params = [])
], $params), JSON_UNESCAPED_UNICODE);
}

function check_path($path, $check_existence = true)
{
if ($check_existence === false) {
$path = dirname($path);
}

$real_path = realpath($path);

if (strpos($real_path, MAIN_DIR) === 0) {
return true;
}

return false;
}

$_SESSION['pheditor_token'] = bin2hex(random_bytes(32));

?>
Expand Down

0 comments on commit bb95677

Please sign in to comment.