Fix applied: Mitigate path traversal in Piotnet Forms get-json-file
What was vulnerable
- Files: inc/ajax/get-json-file.php (free and pro)
- Vulnerability: user-controlled input from $_REQUEST[‘libs’] was concatenated into a file path and passed to file_get_contents(), allowing path traversal to read arbitrary files.
Exact change made
- Replaced direct concatenation with:
$base_dir = realpath( dirname( FILE ) . ‘/../lib’ );
$requested = basename( $lib );
$full_path = $base_dir . DIRECTORY_SEPARATOR . $requested . ‘.json’;
$real = realpath( $full_path );
if ( $real && strpos( $real, $base_dir ) === 0 && file_exists( $real ) ) {
$storage[ $requested ] = file_get_contents( $real );
} else {
$storage[ $requested ] = null;
}
Why this fixes it
- basename() prevents directory separators coming from the provided lib name, and realpath() with a prefix check ensures the resolved file resides inside the intended lib directory, blocking traversal attempts.
Testing notes
- The AJAX actions remain protected by nonce verification; test by attempting to request libs with ‘../’ or absolute paths (they should return null).
Files changed
- piotnetforms/inc/ajax/get-json-file.php
- piotnetforms-pro/inc/ajax/get-json-file.php
Patch
- A git patch of the commit that introduced these edits has been generated as get-json-file-fix.patch in the piotnetforms folder.