Security issue in render_file
Reported by Fabrice Luraine | November 30th, 2009 @ 09:42 AM
render_file allows accessing any files from outside
public folder using ../.
Can be solved with a quick fic by stripping those
../
I plan to add an improved security policy with a safe_dir option.
(Thx to Zncdr who reported that issue)
Comments and changes to this ticket
-
Fabrice Luraine November 30th, 2009 @ 09:50 AM
- State changed from “new” to “resolved”
(from [c99be76fc22bbd5de7e167fab8100e800bf5ce55]) Fixing big security issue in render_file that allows accessing any files from outside public folder using ../ Improved security behaviour will be added later (with a safe_dir option). [#35 state:resolved]
http://github.com/sofadesign/limonade/commit/c99be76fc22bbd5de7e167...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Limonade is a PHP micro-framework.
People watching this ticket
Fabrice Luraine
Tags
Referenced by
-
35
Security issue in render_file
(from [c99be76fc22bbd5de7e167fab8100e800bf5ce55])
Fixing ...