Searched hist:"9 af82229f03804fb3198cbdf48d60d34d8afb191" (Results 1 – 3 of 3) sorted by relevance
| /dokuwiki/lib/plugins/extension/_test/testdata/evilbase/ |
| H A D | plugin.info.txt | 9af82229f03804fb3198cbdf48d60d34d8afb191 Thu Jun 25 19:08:43 UTC 2026 Andreas Gohr <gohr@cosmocode.de> extension: validate base name to prevent path traversal on install
The extension base name flowed unsanitized from an uploaded archive's
plugin.info.txt (or an extension id) into getInstallDir(), where
fullpath() collapses '..' segments. A crafted base such as
'../../../../evil' therefore resolved outside lib/plugins/, letting
dircopy() write the archive contents to an arbitrary web-writable path.
Route every base assignment through a new setBase() that rejects
anything other than a bare extension name.
Note: this is not really a security concern since plugins can execute
arbitrary code by design. The is mostly to make sure, plugin code is not
installed accidentally at the wrong location.
|
| /dokuwiki/lib/plugins/extension/_test/ |
| H A D | ExtensionTest.php | 9af82229f03804fb3198cbdf48d60d34d8afb191 Thu Jun 25 19:08:43 UTC 2026 Andreas Gohr <gohr@cosmocode.de> extension: validate base name to prevent path traversal on install
The extension base name flowed unsanitized from an uploaded archive's
plugin.info.txt (or an extension id) into getInstallDir(), where
fullpath() collapses '..' segments. A crafted base such as
'../../../../evil' therefore resolved outside lib/plugins/, letting
dircopy() write the archive contents to an arbitrary web-writable path.
Route every base assignment through a new setBase() that rejects
anything other than a bare extension name.
Note: this is not really a security concern since plugins can execute
arbitrary code by design. The is mostly to make sure, plugin code is not
installed accidentally at the wrong location.
|
| /dokuwiki/lib/plugins/extension/ |
| H A D | Extension.php | 9af82229f03804fb3198cbdf48d60d34d8afb191 Thu Jun 25 19:08:43 UTC 2026 Andreas Gohr <gohr@cosmocode.de> extension: validate base name to prevent path traversal on install
The extension base name flowed unsanitized from an uploaded archive's
plugin.info.txt (or an extension id) into getInstallDir(), where
fullpath() collapses '..' segments. A crafted base such as
'../../../../evil' therefore resolved outside lib/plugins/, letting
dircopy() write the archive contents to an arbitrary web-writable path.
Route every base assignment through a new setBase() that rejects
anything other than a bare extension name.
Note: this is not really a security concern since plugins can execute
arbitrary code by design. The is mostly to make sure, plugin code is not
installed accidentally at the wrong location.
|