pdobrescu
commented
2 years ago Thanks for the PR @soulseekah, I'll get this merged and it will be included in the next EMR release ;-)
Closed soulseekah closed 2 years ago
pdobrescu
commented
2 years ago Thanks for the PR @soulseekah, I'll get this merged and it will be included in the next EMR release ;-)
This patch makes traversal impossible by making sure that the canonical resolved path is still inside the WordPress uploads directory. While a low-impact issue, it's still possible to do some really weird things.