Flysystem don't upload files to path containing .. pieces.

Question

Flysystem don't upload files to path containing .. pieces.

trousev opened this issue 9 years ago · 1 comments

HTR:

Try to upload file with path containing '..' pieces
Face error:

2015-06-16 17:01:42 [10.0.2.2][3][-][error][LogicException] exception 'LogicException' with message 'The root path /opt/www/visyond/devel/v3/../userfiles is not readable.' in /home/vagrant/
visyond/server/v3/yii2apps/vendor/league/flysystem/src/Adapter/Local.php:37
Stack trace:
#0 /home/vagrant/visyond/server/v3/yii2apps/vendor/creocoder/yii2-flysystem/src/LocalFilesystem.php(45): League\Flysystem\Adapter\Local->__construct('/opt/www/visyon...')
#1 /home/vagrant/visyond/server/v3/yii2apps/vendor/creocoder/yii2-flysystem/src/Filesystem.php(89): creocoder\flysystem\LocalFilesystem->prepareAdapter()
#2 /home/vagrant/visyond/server/v3/yii2apps/vendor/creocoder/yii2-flysystem/src/LocalFilesystem.php(37): creocoder\flysystem\Filesystem->init()
#3 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/base/Object.php(107): creocoder\flysystem\LocalFilesystem->init()
#4 [internal function]: yii\base\Object->__construct(Array)
#5 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/di/Container.php(372): ReflectionClass->newInstanceArgs(Array)
#6 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/di/Container.php(151): yii\di\Container->build('creocoder\flysy...', Array, Array)
#7 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/BaseYii.php(344): yii\di\Container->get('creocoder\flysy...', Array, Array)
#8 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/di/ServiceLocator.php(133): yii\BaseYii::createObject(Array)
#9 /home/vagrant/visyond/server/v3/yii2apps/api/modules/v1/controllers/FileController.php(95): yii\di\ServiceLocator->get('localFs')
#10 [internal function]: api\modules\v1\controllers\FileController->actionCreate('333')
#11 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/base/InlineAction.php(55): call_user_func_array(Array, Array)
#12 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/base/Controller.php(151): yii\base\InlineAction->runWithParams(Array)
#13 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/base/Module.php(455): yii\base\Controller->runAction('create', Array)
#14 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/web/Application.php(84): yii\base\Module->runAction('v1/file/create', Array)
#15 /home/vagrant/visyond/server/v3/yii2apps/vendor/yiisoft/yii2/base/Application.php(375): yii\web\Application->handleRequest(Object(yii\web\Request))
#16 /home/vagrant/visyond/server/v3/htdocs/api/index.php(26): yii\base\Application->run()
#17 {main}
2015-06-16 17:01:42 [10.0.2.2][3][-][info][application] $_GET = [
    'projectId' => '333'
]

Answer 1 · 2017-02-08T10:26:10.000Z

Its expected by original library security reasons.