adds traversal check to deleteion

2024-06-26 18:20:43 +12:00 · 2021-02-05 12:18:12 +01:00 · 2021-02-05 12:18:12 +01:00 · 078b5360d3
parent f97c87a3e9
commit 078b5360d3
1 changed files with 3 additions and 2 deletions
--- a/app/workers/deletes.php
+++ b/app/workers/deletes.php
@ -314,9 +314,10 @@ class DeletesV1
    {
        $domain = $document->getAttribute('domain');
        $directory = APP_STORAGE_CERTIFICATES . '/' . $domain;
+        $checkTraversal = realpath($directory) === $directory;

-        if($domain && is_dir($directory)) {
-            array_map('unlink', glob("$directory/*.*"));
+        if($domain && $checkTraversal && is_dir($directory)) {
+            array_map('unlink', glob($directory.'/*.*'));
            rmdir($directory);
            Console::info("Deleted certificate files for {$domain}");
        } else {