Fix (arbitrary) File Read #14
Description
Hi @ankushagarwal 👋,
private vulnerability reporting is unfortunately deactivated for this project, but the vulnerability was already disclosed in #1 anyway. In the current implementation, clients can simply provide absolute paths to escape from the intended webroot. However, I do not recommend merging #1 because:
- The fix suggested in this PR can be bypassed
- It adds a bypass for the allowed filetype list
Instead a different fix should be implemented.
I know, this repository is quite old and seems no longer to be maintained. However, the tool is quite popular and I saw it being used by a production system recently. Therefore, you should go ahead and reserve a CVE for this issue. If there is no reaction, after some time, I will go ahead an claim a CVE for this issue. Hope this is okay for you :)
Best regards
Tobias