Skip to content

Fix CVE-2025-0818#3723

Merged
nao-pon merged 2 commits intoStudio-42:masterfrom
L0nlySegments:CVE-2025-0818
Aug 28, 2025
Merged

Fix CVE-2025-0818#3723
nao-pon merged 2 commits intoStudio-42:masterfrom
L0nlySegments:CVE-2025-0818

Conversation

@L0nlySegments
Copy link
Contributor

@L0nlySegments L0nlySegments commented Aug 23, 2025

This patch addresses the most critical aspects of CVE-2025-0818 (arbitrary file deletes and reads).
Further security assessments should be conducted to validate the robustness of this patch by the project maintainers.

@L0nlySegments
CVE-2025-0818 (Part 1)
199e0ef 
- Fixed arbitrary file delete by prepending the tempath to the global temp file array paths before deleting them

- This also required a new global array (elFinderAbortFiles) because the temp path could be different depeing on the configuration of elFInder.

- Removed the ability of getTempPath() to return the writableTmb path because this would unnecessarly complicate things when checking the path before deletion
@L0nlySegments
CVE-2025-0818 (Part II)
823e7cd 
- Prevented arbitrary file read by prepending the common temp directory to the extracted onetime file path of the 'file' commands 'ontime' function.

- Prevented directory traversal and the general use of paths by using basename() for the appended file name.

- This patch currently prevents arbitrary file reads and deletes. However, it still allows this for files in the .tmp directory. This should also at least be mitigated.
@nao-pon nao-pon merged commit a560291 into Studio-42:master Aug 28, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@L0nlySegments @nao-pon