Fix: Add path traversal protection to DirectivePlugin (APSB26-05)#50
Open
Maksold wants to merge 1 commit into
Open
Fix: Add path traversal protection to DirectivePlugin (APSB26-05)#50Maksold wants to merge 1 commit into
Maksold wants to merge 1 commit into
Conversation
Magento 2.4.6-p14 security patch (APSB26-05) added path traversal protection to Cms\Controller\Adminhtml\Wysiwyg\Directive::execute() via DirectoryResolver::validatePath(). However, the DirectivePlugin uses aroundExecute() and returns early for SVG files, completely bypassing this security validation. Changes: - Add DirectoryResolver to validate file path is within media directory - Add Filesystem for proper path resolution via getAbsolutePath() - Normalize path separators (backslash to forward slash) - Replace file_get_contents() with Magento filesystem abstraction
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Magento 2.4.6-p14 security patch (APSB26-05) added path traversal protection to
Magento\Cms\Controller\Adminhtml\Wysiwyg\Directive::execute()viaDirectoryResolver::validatePath(). This ensures that only files within thepub/media/directory can be served.However,
DirectivePlugin::aroundExecute()returns early for SVG/vector images before calling$proceed(), which means the new security validation is completely bypassed for vector image requests.Security Issue
An admin user could craft a
___directiveparameter that resolves to a path outsidepub/media/(e.g.,../../app/etc/env.php). If the file passesisVectorImage()check (extension or MIME type), its contents would be returned viafile_get_contents()without any path validation.Changes
DirectoryResolverto validate that the resolved file path is within the media directoryFilesystemfor proper path resolution viagetAbsolutePath()(consistent with core Magento approach)\→/) before processingfile_get_contents()with$mediaDirectory->readFile()to use Magento's filesystem abstraction instead of raw PHP file accessAffected Magento Versions
All Magento installations using
magestyapps/module-web-imageswith Magento 2.4.6-p14+ (and likely earlier versions that had less comprehensive but still relevant path handling).Testing
pub/media/via crafted directive → should fail with "Invalid Path" exception and fall through to$proceed()