Описание
Possibility for Denial of Service by overwriting PHP files with language exports
Impact
Laravel Translation Manager didn't check the locale name, which allowed directory traversal when exporting files. The content would be a PHP file returning an array of translations, but this could lead to unexpected results, like denial of service. Access to the Laravel Translation Manager is required, because a new locale would have to be added and published.
Patches
Version 0.6.2 fixes this issue.
Workarounds
Only allow trusted admins to publish/edit translations.
References
https://github.com/barryvdh/laravel-translation-manager/pull/417
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/barryvdh/laravel-translation-manager
- Email me (see Github profile)
Credits
Found and reported by Natalia Trojanowska
Пакеты
Наименование
barryvdh/laravel-translation-manager
composer
Затронутые версииВерсия исправления
< 0.6.2
0.6.2