Skip to content
This repository was archived by the owner on Mar 24, 2025. It is now read-only.

Commit 41fe378

Browse files
ArkaniusArkanius
authored
Merge pull request #462 from kanarip/dev/directory-traversal
Fix directory traversal issue
2 parents 87aebd3 + 96a93e9 commit 41fe378

File tree

1 file changed

+9
-1
lines changed

1 file changed

+9
-1
lines changed

src/Transformers/Request.php

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -183,12 +183,20 @@ public static function handleStatic($swooleRequest, $swooleResponse, string $pub
183183
{
184184
$uri = $swooleRequest->server['request_uri'] ?? '';
185185
$extension = strtok(pathinfo($uri, PATHINFO_EXTENSION), '?');
186-
$fileName = $publicPath . $uri;
186+
$fileName = @realpath($publicPath . $uri);
187+
188+
if (!$fileName) {
189+
return false;
190+
}
187191

188192
if ($extension && in_array($extension, static::EXTENSION_BLACKLIST)) {
189193
return false;
190194
}
191195

196+
if (substr($fileName, 0, strlen($publicPath)) != $publicPath) {
197+
return false;
198+
}
199+
192200
if (! is_file($fileName) || ! filesize($fileName)) {
193201
return false;
194202
}

0 commit comments

Comments
 (0)