5.3.0 - Security patch

[Webklex]

Impacted are all versions below v5.3.0.
If possible, update to >= v5.3.0 as soon as possible. Impacted was the Attachment::save
method which could be used to write files to the local filesystem. The path was not
properly sanitized and could be used to write files to arbitrary locations.

However, the Attachment::save method is not used by default and has to be called
manually. If you are using this method without providing a sanitized path, you are
affected by this vulnerability.
If you are not using this method or are providing a sanitized path, you are not affected
by this vulnerability and no immediate action is required.

Timeline

• 17.06.23 21:30: Vulnerability reported
• 18.06.23 19:14: Vulnerability confirmed
• 19.06.23 18:41: Vulnerability fixed via PR Improve security #414
• 20.06.23 13:45: Security patch released
• 21.06.23 20:48: CVE-2023-35169 got assigned
• 21.06.23 20:58: Advisory released GHSA-47p7-xfcc-4pv9

If you have any questions or comments, please leave them below.

Thank you all and thank you @angelej for your fantastic help :)

[Webklex]

Additionally, never trust user input and always sanitize it before using it.
For example:

// Do not do this
file_put_contents($attachment->name, $attachment->content);

// Do this instead
file_put_contents(sanitize($attachment->name), $attachment->content);

Sanitization can be done in many ways. For example, you can use the basename function
to remove all path information from the filename. However, this is not a complete
sanitization, and you should always use a proper sanitization method for your use case.