- Issue created by @willempje2
I had unpublished this not realizing it is the public post of an originally private issue. I've added a note about that to the issue summary.
Heine: The issue below has been cleared by the security team to be fixed in public.
The entity.node.webform.results_export route allows me to freely pass a filename in the query parameter. Because the "file_exists" function triggers before "Url::fromRoute," one could pass a relative file path that traverses up in directories. Although checks inside "Url::fromRoute" prevent the file from being downloaded, it does return an error instead of the default page, allowing me to find out whether the file exists or not.
Steps I used to reproduce this:
1 Install webform_node
2 Create a node of new webform content-type.
3 Go to the download page for this file: /node/1/webform/results/download
4 Upload any file anywhere you typically do not want people to check for files.
5 Visit said upload file with: /node/1/webform/results/download?filename=/../var/www/html/private/test.jpg
6 This path will return a 500 response.
7 Unlike the default behavior where a 404 is given when the file does not exist: /node/1/webform/results/download?filename=/../var/www/html/private/doesnotexist.jpg
Disregarding the actual error this discrepancy will allow a user to check for the existence of a file it would otherwise not have access to or should know the existence from.
Error given: Parameter "filename" for route "entity.node.webform.results_export_file" must match "[^/]++"
Active
6.3
Code
I had unpublished this not realizing it is the public post of an originally private issue. I've added a note about that to the issue summary.