fix: sanitize client-provided filename in UploadedFile::move() to prevent path traversal#10282
Open
gr8man wants to merge 4 commits into
Open
fix: sanitize client-provided filename in UploadedFile::move() to prevent path traversal#10282gr8man wants to merge 4 commits into
gr8man wants to merge 4 commits into
Conversation
|
Hi there, gr8man! 👋 Thank you for sending this PR! We expect the following in all Pull Requests (PRs).
Important We expect all code changes or bug-fixes to be accompanied by one or more tests added to our test suite to prove the code works. If pull requests do not comply with the above, they will likely be closed. Since we are a team of volunteers, we don't have any more time to work See https://github.com/codeigniter4/CodeIgniter4/blob/develop/contributing/pull_request.md Sincerely, the mergeable bot 🤖 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Currently, when developers call
$file->move($targetDir)without explicitly providing the$nameparameter, the system defaults to$this->getName(), which returns the original, unverified filename provided by the client in the$_FILESarray. This creates a severe Path Traversal (Arbitrary File Write) vulnerability. If a malicious client uploads a file named../../public/shell.php, the built-inmove_uploaded_file()function will resolve the path and successfully write the script outside the intended upload directory, leading to potential Remote Code Execution (RCE).This PR mitigates the vulnerability by applying the
sanitize_filename()helper to the client-provided$namefallback inUploadedFile::move().Crucially, the sanitization is applied only when the developer does not explicitly pass the
$nameargument. This ensures full backward compatibility for developers who manually and intentionally specify valid relative path structures (e.g.,$file->move($dir, 'subdir/file.jpg')).A new unit test (
testMovePathTraversal) was added toFileMovingTest.phpto ensure that path traversal attempts (like../public/shell.php) are properly neutralized into safe filenames (likepublicshell.php) and kept strictly within the intended destination directory.Checklist: