weavejester
commented
3 years ago If this is an issue in Ring core, can you move this issue to that repository?
I don't believe this will affect Ring core, as the normalize method isn't used, nor do I believe it would be used in any derived function. However, it's better to be safe than sorry, so I'll update the dependency.
rome-user
White source utility flagged following issue in commons-io, which is a library used in ring-core:
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Suggested fix by the utility: Upgrade to version commons-io:commons-io:2.7 or Replace or update the following files: FilenameUtilsTestCase.java, FilenameUtils.java