Relative path security issue

[nickgardos]

Hello,

I am using simple-ajax-uploader for a big project and as usual before I push 3rd party code on production I inspect the code. Sadly I found a big security issue with this one...

A user is able to upload a file using the XHR uploader and set a filename of this type: ../../test.txt
All you have to do is to open your browser dev tools and go to the network tab. First upload the test.txt as you would normaly do, and after the upload finishes, click on the logged connection and select Edit and resend. Then, simply change the filename to something like this: ../../test.txt. From my tests the file will be not saved in the upload dir but 2 directories up (or wherever you point it).

To fix this security hole just replace line 93 on Uploader.php with the following:

$this->fileName = str_replace(array('/','\\'),'_',$this->handler->getFileName());

[nickgardos]

Version 2 is also vulnerable. All you have to do is edit the X-File-Name header to something like this: ../../test.txt

To fix v.2 simple add after line 69:

$this->fileName = str_replace(array('/','\\'),'_',$this->fileName);

[LPology]

Nice catch. Just merged your pull request.