Security: Clean path when upload files to avoid arbitrary file write

chamilo · Apr 11, 2024 · d7ead2f · d7ead2f
1 parent c9f912b
commit d7ead2f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/main/inc/lib/fileUpload.lib.php b/main/inc/lib/fileUpload.lib.php
@@ -343,7 +343,7 @@ function handle_uploaded_document(
             }
 
             // Full path to where we want to store the file with trailing slash
-            $whereToSave = $documentDir.$uploadPath;
+            $whereToSave = Security::cleanPath($documentDir.$uploadPath).'/';
 
             // At least if the directory doesn't exist, tell so
             if (!is_dir($whereToSave)) {

diff --git a/main/inc/lib/security.lib.php b/main/inc/lib/security.lib.php
@@ -64,8 +64,7 @@ public static function check_abs_path(string $abs_path, string $checker_path): b
         }
 
         // Clean $abs_path.
-        $abs_path = str_replace(['//', '../'], ['/', ''], $abs_path);
-        $true_path = str_replace("\\", '/', realpath($abs_path));
+        $true_path = self::cleanPath($abs_path);
         $checker_path = str_replace("\\", '/', realpath($checker_path));
 
         if (empty($checker_path)) {
@@ -89,6 +88,13 @@ public static function check_abs_path(string $abs_path, string $checker_path): b
         return false;
     }
 
+    public static function cleanPath(string $absPath): string
+    {
+        $absPath = str_replace(['//', '../'], ['/', ''], $absPath);
+
+        return str_replace("\\", '/', realpath($absPath));
+    }
+
     /**
      * Checks if the relative path (directory) given is really under the
      * checker path (directory).