Nixpkgs security tracker
NIXPKGS-2026-0965
GitHub issue
published on
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
4 packages
- filebrowser-quantum
- python312Packages.filebrowser-safe
- python313Packages.filebrowser-safe
- python314Packages.filebrowser-safe
- @LeSuisse accepted
- @LeSuisse published on GitHub
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches() function in rules/rules.go uses strings.HasPrefix() without a trailing directory separator when matching paths against access rules. A rule for /uploads also matches /uploads_backup/, granting or denying access to unintended directories. This vulnerability is fixed in 2.63.1.
References
-
https://github.com/filebrowser/filebrowser/pull/5889 x_refsource_MISC
Affected products
filebrowser
- ==< 2.63.1
Matching in nixpkgs
Ignored packages (4)
pkgs.filebrowser-quantum
Access and manage your files from the web
-
nixos-unstable 1.2.2-stable
- nixpkgs-unstable 1.2.2-stable
- nixos-unstable-small 1.2.2-stable
pkgs.python312Packages.filebrowser-safe
Snapshot of django-filebrowser for the Mezzanine CMS
pkgs.python313Packages.filebrowser-safe
Snapshot of django-filebrowser for the Mezzanine CMS
pkgs.python314Packages.filebrowser-safe
Snapshot of django-filebrowser for the Mezzanine CMS
Package maintainers
-
@HritwikSinghal Hritwik Singhal <nix@thorin.theoakenshield.com>