Skip to content

Commit

Permalink
Fix CVE-2023-35169 issue in webklex/laravel-imap
Browse files Browse the repository at this point in the history
  • Loading branch information
freescout-help-desk committed Sep 23, 2023
1 parent 7b32dde commit d62bf49
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions overrides/webklex/laravel-imap/src/IMAP/Attachment.php
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,10 @@ public function save($path = null, $filename = null) {
$path = $path ?: storage_path();
$filename = $filename ?: $this->getName();

// sanitize $name
// order of '..' is important
$filename = str_replace(['\\', '/', chr(0), ':', '..'], '', $filename ?? '');

$path = substr($path, -1) == DIRECTORY_SEPARATOR ? $path : $path.DIRECTORY_SEPARATOR;

return File::put($path.$filename, $this->getContent()) !== false;
Expand Down Expand Up @@ -258,6 +262,10 @@ public function setName($name) {
if (preg_match('/%[0-9A-F]{2}/i', $name)) {
$name = urldecode($name);
}

// sanitize $name
// order of '..' is important
$name = str_replace(['\\', '/', chr(0), ':', '..'], '', $name);
}

$this->name = $name;
Expand Down

0 comments on commit d62bf49

Please sign in to comment.