https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42404
--- Comment #18 from Martin Renvoize (ashimema) <[email protected]> --- Created attachment 200837 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=200837&action=edit Bug 42404: (follow-up) Reject symlinks in image file paths The existing path-traversal check guards against filenames that resolve outside the extraction directory, but did not guard against symlinks that point to arbitrary host filesystem paths (e.g. /etc/passwd). Add an explicit -l check for each resolved image path before passing it to GD::Image->new(); symlinks are treated as path_traversal errors and the image is skipped. The mapping-file symlink checks introduced earlier are therefore consistent across all file reads in the job. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
