Security too restrictive

Created on 29 December 2009, almost 15 years ago
Updated 3 December 2023, 12 months ago

The upgrade to v3.6 includes checks that the path to the image (for local folders) does not include ".."

For the component of the path which is input as part of the tag on the page this is fine, preventing access to folders outside the scope of the configured root. However, the check is also applied to the part of the path set up by the administrator to define the root folder for all galleries, which in my opinion is too restrictive.

I have a live site and a test site in separate subdirectories, and have set my galleries root folder to be a common location, at the same level as these two. Before v3.6 the two sites could both access the same common folder by setting up a root folder starting ../../ The restriction in v3.6 has broken this design, which as I say seems to me quite reasonable.

Tony.

🐛 Bug report
Status

Active

Version

3.6

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

No activities found.

Production build 0.71.5 2024