We are moving to Git Issues for bug tracking in future releases. During transition, content will be in both tools. If you'd like to file a new bug, please create an issue.

Bug 8396 - File manager with path_info_disabled can explore outside files dir
File manager with path_info_disabled can explore outside files dir
Status: RESOLVED FIXED
Product: OJS
Classification: Unclassified
Component: General
2.4.3
All All
: P3 normal
Assigned To: Alec Smecher
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-15 09:38 PDT by Alec Smecher
Modified: 2013-08-15 09:48 PDT (History)
0 users

See Also:
Version Reported In:
Also Affects:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alec Smecher 2013-08-15 09:38:41 PDT
Paths containing e.g. ../../../ can be used to explore outside the files dir as Journal Manager with path_info_disabled.
Comment 1 Alec Smecher 2013-08-15 09:44:02 PDT
Fixed disable_path_info slash checking in paths
https://github.com/pkp/ojs/commit/a843a040f7a309a6eb3726582d26dc3f7b4b3ef5
Comment 3 Alec Smecher 2013-08-15 09:45:02 PDT
Fixed file name filter to include slashes
https://github.com/pkp/ocs/commit/b6da8cfcf13032a29694c46bbe21a52985b987a9
Comment 4 Alec Smecher 2013-08-15 09:48:01 PDT
Fixed file name filter to include slashes
https://github.com/pkp/ocs/commit/a1b41b718736db9d77eebc93156b0f3686396666