Webform_node results_export download

Open on Drupal.org →

Created on 2 April 2024, over 1 year ago

The entity.node.webform.results_export route allows me to freely pass a filename in the query parameter. Because the "file_exists" function triggers before "Url::fromRoute," one could pass a relative file path that traverses up in directories. Although checks inside "Url::fromRoute" prevent the file from being downloaded, it does return an error instead of the default page, allowing me to find out whether the file exists or not.

Steps I used to reproduce this:

1 Install webform_node
2 Create a node of new webform content-type.
3 Go to the download page for this file: /node/1/webform/results/download
4 Upload any file anywhere you typically do not want people to check for files.
5 Visit said upload file with: /node/1/webform/results/download?filename=/../var/www/html/private/test.jpg
6 This path will return a 500 response.
7 Unlike the default behavior where a 404 is given when the file does not exist: /node/1/webform/results/download?filename=/../var/www/html/private/doesnotexist.jpg

Disregarding the actual error this discrepancy will allow a user to check for the existence of a file it would otherwise not have access to or should know the existence from.

Error given: Parameter "filename" for route "entity.node.webform.results_export_file" must match "[^/]++"

🐛 Bug report

Status

Active

Version

5.0

Component

Code

Created by

🇳🇱Netherlands willempje2

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @willempje2
Comment over 1 year ago →
cilefen
I had unpublished this not realizing it is the public post of an originally private issue. I've added a note about that to the issue summary.
Comment about 1 year ago →
🇳🇱Netherlands heine
Comment about 1 year ago →
🇨🇦Canada Liam Morland Ontario, CA 🇨🇦
Comment about 1 month ago →
🇺🇸United States damienmckenna NH, USA
Adding the appropriate tag.
First commit to issue fork.

Comment about 1 month ago →

🇺🇸United States jrockowitz Brooklyn, NY

I think the below code should do the trick.

      // Sanitize $file_name to remove directory traversing.
      $file_name = str_replace(['..', '/', '\\'], '', $query['filename']);
      $file_path = $this->submissionExporter->getFileTempDirectory() . '/' . $file_name;

Comment 20 days ago →
🇳🇱Netherlands willempje2
Tested, and this fix works for me (in a clean setup).
Comment 20 days ago →
🇨🇦Canada Liam Morland Ontario, CA 🇨🇦
Please make a merge request.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024