Merge pull request #946 from JulianVennen/block-load-path-traversal

Prevent loading of extensions outside of the expansions folder using the register command
2023-04-04 17:28:00 +03:00 · 2023-04-04 17:28:00 +03:00 · 744cf6d8c0
parent e862abe0b4 b4e60b7db5
commit 744cf6d8c0
1 changed files with 1 additions and 1 deletions
--- a/src/main/java/me/clip/placeholderapi/commands/impl/local/CommandExpansionRegister.java
+++ b/src/main/java/me/clip/placeholderapi/commands/impl/local/CommandExpansionRegister.java
@ -54,7 +54,7 @@ public final class CommandExpansionRegister extends PlaceholderCommand {
    final LocalExpansionManager manager = plugin.getLocalExpansionManager();

    final File file = new File(manager.getExpansionsFolder(), params.get(0));
-    if (!file.exists()) {
+    if (!file.exists() || !file.getParentFile().equals(manager.getExpansionsFolder())) {
      Msg.msg(sender,
          "&cThe file &f" + file.getName() + "&c doesn't exist!");
      return;