Please don't tell anyone about this commit. It's a secret. (#4465)

ildyria · web-flow · commit f4553f6e0145 · 2026-06-26T20:39:17.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -89,6 +89,7 @@ RUN apt-get update \
 	ghostscript \
     # Update with respect to vulnerabilities detected with Trivy
     libgssapi-krb5-2 \
+    libssh2-1t64 \
 	&& sed -i '/<\/policymap>/i \  <policy domain="coder" rights="read|write" pattern="PDF" \/>' /etc/ImageMagick-7/policy.xml \
     && install-php-extensions \
     pdo_mysql \
diff --git a/app/Http/Controllers/SecurePathController.php b/app/Http/Controllers/SecurePathController.php
@@ -24,6 +24,8 @@
 use Illuminate\Support\Facades\Crypt;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Storage;
+use Safe\Exceptions\FilesystemException;
+use function Safe\realpath;
 
 /**
  * Controller responsible for serving files securely.
@@ -48,10 +50,6 @@ public function __invoke(SecurePathRequest $request, ?string $path)
 			throw new InvalidSignatureException();
 		}
 
-		if (is_null($path)) {
-			throw new WrongPathException();
-		}
-
 		if ($request->configs()->getValueAsBool('secure_image_link_enabled')) {
 			try {
 				$path = Crypt::decryptString($path);
@@ -60,7 +58,14 @@ public function __invoke(SecurePathRequest $request, ?string $path)
 			}
 		}
 
-		$file = Storage::disk(StorageDiskType::LOCAL->value)->path($path);
+		$this->prevalidation_path($path);
+
+		try {
+			$file = realpath(Storage::disk(StorageDiskType::LOCAL->value)->path($path));
+		} catch (FilesystemException) {
+			throw new WrongPathException();
+		}
+
 		$valid_path_start = Storage::disk(StorageDiskType::LOCAL->value)->path('');
 		if (!str_starts_with($file, $valid_path_start)) {
 			Log::error('Invalid path for secure path request.', [
@@ -104,4 +109,26 @@ private function signatureHasNotExpired(Request $request)
 
 		return !($expires !== null && $expires !== '' && Carbon::now()->getTimestamp() > $expires);
 	}
+
+	/**
+	 * Validate the path.
+	 *
+	 * @param string|null $path
+	 *
+	 * @return void
+	 *
+	 * @throws WrongPathException
+	 */
+	private function prevalidation_path(?string $path): void
+	{
+		if (is_null($path)) {
+			throw new WrongPathException();
+		}
+
+		foreach (['..', '%2e', '%2f', '\\'] as $invalid_sequence) {
+			if (str_contains($path, $invalid_sequence)) {
+				throw new PathTraversalException('Invalid path for secure path request.');
+			}
+		}
+	}
 }
diff --git a/database/migrations/2026_06_26_173103_bump_version070604.php b/database/migrations/2026_06_26_173103_bump_version070604.php
@@ -0,0 +1,52 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\Artisan;
+use Illuminate\Support\Facades\DB;
+use Symfony\Component\Console\Output\ConsoleOutput;
+use Symfony\Component\Console\Output\ConsoleSectionOutput;
+
+return new class() extends Migration {
+	private ConsoleOutput $output;
+	private ConsoleSectionOutput $msg_section;
+
+	public function __construct()
+	{
+		$this->output = new ConsoleOutput();
+		$this->msg_section = $this->output->section();
+	}
+
+	/**
+	 * Run the migrations.
+	 *
+	 * @return void
+	 */
+	public function up(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070604']);
+		try {
+			Artisan::call('cache:clear');
+		} catch (\Throwable $e) {
+			$this->msg_section->writeln('<error>Warning:</error> Failed to clear cache for version 7.6.4');
+
+			return;
+		}
+		$this->msg_section->writeln('<info>Info:</info> Cleared cache for version 7.6.4');
+	}
+
+	/**
+	 * Reverse the migrations.
+	 *
+	 * @return void
+	 */
+	public function down(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070603']);
+	}
+};
diff --git a/tests/Feature_v2/SecureImageLinksTest.php b/tests/Feature_v2/SecureImageLinksTest.php
@@ -121,4 +121,13 @@ public function testDisabledSecureImageLinkIsForbidden(): void
 		$response = $this->get($broken_url);
 		$this->assertUnauthorized($response);
 	}
+
+	public function testPathTraversalIsForbidden(): void
+	{
+		$this->setTemporaryLink();
+		$path = URL::route('image', ['path' => 'c3/3d/c661c594a5a781cd44db06828783.png']);
+		$traversal_path = str_replace('c3/3d/c661c594a5a781cd44db06828783.png', '../.env', $path);
+		$response = $this->actingAs($this->userMayUpload1)->get($traversal_path);
+		$this->assertStatus($response, 418);
+	}
 }
diff --git a/version.md b/version.md
@@ -1 +1 @@
-7.6.3
+7.6.4

Original file line number	Diff line number	Diff line change
`@@ -121,4 +121,13 @@ public function testDisabledSecureImageLinkIsForbidden(): void`
`121`	`121`	`$response = $this->get($broken_url);`
`122`	`122`	`$this->assertUnauthorized($response);`
`123`	`123`	`}`
	`124`	`+`
	`125`	`+ public function testPathTraversalIsForbidden(): void`
	`126`	`+ {`
	`127`	`+ $this->setTemporaryLink();`
	`128`	`+ $path = URL::route('image', ['path' => 'c3/3d/c661c594a5a781cd44db06828783.png']);`
	`129`	`+ $traversal_path = str_replace('c3/3d/c661c594a5a781cd44db06828783.png', '../.env', $path);`
	`130`	`+ $response = $this->actingAs($this->userMayUpload1)->get($traversal_path);`
	`131`	`+ $this->assertStatus($response, 418);`
	`132`	`+ }`
`124`	`133`	`}`