You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
private vulnerability reporting is unfortunately deactivated for this project, but the vulnerability was already disclosed in #1 anyway. In the current implementation, clients can simply provide absolute paths to escape from the intended webroot. However, I do not recommend merging #1 because:
The fix suggested in this PR can be bypassed
It adds a bypass for the allowed filetype list
Instead a different fix should be implemented.
I know, this repository is quite old and seems no longer to be maintained. However, the tool is quite popular and I saw it being used by a production system recently. Therefore, you should go ahead and reserve a CVE for this issue. If there is no reaction, after some time, I will go ahead an claim a CVE for this issue. Hope this is okay for you :)
Best regards
Tobias
The text was updated successfully, but these errors were encountered:
Hi @ankushagarwal 👋,
private vulnerability reporting is unfortunately deactivated for this project, but the vulnerability was already disclosed in #1 anyway. In the current implementation, clients can simply provide absolute paths to escape from the intended webroot. However, I do not recommend merging #1 because:
Instead a different fix should be implemented.
I know, this repository is quite old and seems no longer to be maintained. However, the tool is quite popular and I saw it being used by a production system recently. Therefore, you should go ahead and reserve a CVE for this issue. If there is no reaction, after some time, I will go ahead an claim a CVE for this issue. Hope this is okay for you :)
Best regards
Tobias
The text was updated successfully, but these errors were encountered: