[PR #32] [MERGED] Fix the fix to path traversal attack, refactor #92

New issue

Closed

opened 2026-02-25 23:39:52 +03:00 by kerem · 0 comments

kerem commented

2026-02-25 23:39:52 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/HaschekSolutions/opentrashmail/pull/32
Author: @Dan-Q
Created: 8/12/2021
Status: ✅ Merged
Merged: 8/12/2021
Merged by: @geek-at

Base: master ← Head: master

📝 Commits (5)

5f82811 Add getDirForEmail to perform realPath filtering in core
012ed1e Path safety checks for API that actually work
0953830 Add provided (sanitised) email to output JSON
d9a215e Removed debug code
7543c00 Ensure email ID is an integer

📊 Changes

2 files changed (+31 additions, -21 deletions)

View changed files

📝 web/api.php (+21 -16)
📝 web/inc/core.php (+10 -5)

📄 Description

Fixes #29/#31, by:

Adding a utility function to core to consistently get the email dir, and using it
Using this function in the web API when testing if the directory exists
Top-loading these safety checks in the API so we don't need to concatenate any potentially-unsafe paths in api.php itself
Ensure that the $id is an integer (thanks @wr3nch0x1 for spotting this vector!), preventing it too from being used for path traversal attacks and providing an extra safety check that the format is as-expected

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/HaschekSolutions/opentrashmail/pull/32 **Author:** [@Dan-Q](https://github.com/Dan-Q) **Created:** 8/12/2021 **Status:** ✅ Merged **Merged:** 8/12/2021 **Merged by:** [@geek-at](https://github.com/geek-at) **Base:** `master` ← **Head:** `master` --- ### 📝 Commits (5) - [`5f82811`](https://github.com/HaschekSolutions/opentrashmail/commit/5f82811ab35bbd5fac0d5a671c874398071ac55d) Add getDirForEmail to perform realPath filtering in core - [`012ed1e`](https://github.com/HaschekSolutions/opentrashmail/commit/012ed1e82590427bfb11f9adc1f0397b525a8435) Path safety checks for API that actually work - [`0953830`](https://github.com/HaschekSolutions/opentrashmail/commit/09538300d60ff4f21a6edc38a811254352badf9b) Add provided (sanitised) email to output JSON - [`d9a215e`](https://github.com/HaschekSolutions/opentrashmail/commit/d9a215e315c6e6a0a9a7728a545171c17e522741) Removed debug code - [`7543c00`](https://github.com/HaschekSolutions/opentrashmail/commit/7543c005b59ac11958ca2146390b3b4dcdc1960b) Ensure email ID is an integer ### 📊 Changes **2 files changed** (+31 additions, -21 deletions) <details> <summary>View changed files</summary> 📝 `web/api.php` (+21 -16) 📝 `web/inc/core.php` (+10 -5) </details> ### 📄 Description Fixes #29/#31, by: * Adding a utility function to core to consistently get the email dir, and using it * Using this function in the web API when testing if the directory exists * Top-loading these safety checks in the API so we don't need to concatenate any potentially-unsafe paths in api.php itself * Ensure that the `$id` is an integer (thanks @wr3nch0x1 for spotting this vector!), preventing it too from being used for path traversal attacks and providing an extra safety check that the format is as-expected --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>