prevent access of wiki files

This prevents the crawler to descent into the wiki directory or data directory, even when for some reason a higher up directory was made accessible. This should prevent the circumvention of ACLs and prevent access to sensitive data like user password hashes etc.
2024-04-03 14:23:53 +02:00
parent 55e6f8f9aa
commit e82754c523
3 changed files with 29 additions and 0 deletions
--- a/Crawler.php
+++ b/Crawler.php
@@ -57,6 +57,9 @@ class Crawler
    {
        $path = $root . $local;

+        // do not descent into wiki or data directories
+        if(Path::isWikiControlled($path)) return [];
+
        if (($dir = opendir($path)) === false) return [];
        $result = [];
        while (($file = readdir($dir)) !== false) {