Path traversal possible during temporary file manipulations

Impact

Path Traversal is possible in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName.
With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends.

Workarounds

Apply patch

--- a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php
+++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php
@@ -614,6 +614,10 @@
      */
     public function getTemporaryFileName(string $suggestedFileName = null): string
     {
+        if ($suggestedFileName) {
+            $suggestedFileName = basename($suggestedFileName);
+        }
+
         $tmpDir = ini_get('upload_tmp_dir');
         if (!$tmpDir || !is_dir($tmpDir) || !is_writable($tmpDir)) {
             $tmpDir = sys_get_temp_dir();

Or decorate Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName in your customization and clear $suggestedFileName argument

    public function getTemporaryFileName(string $suggestedFileName = null): string
    {
        if ($suggestedFileName) {
            $suggestedFileName = basename($suggestedFileName);
        }

        return parent::getTemporaryFileName($suggestedFileName);
    }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Path traversal possible during temporary file manipulations

Package

Affected versions

Patched versions

Description

Impact

Workarounds

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

CVE ID

Weaknesses