From 26c1102567c095b051b5e1a0aedb45b78713c283 Mon Sep 17 00:00:00 2001
From: Bartłomiej Dmitruk <bartek.dmitruk@gmail.com>
Date: Sat, 3 Jan 2026 18:09:44 +0100
Subject: Merge commit from fork

* Fix Path Traversal vulnerability in UserDAO methods

* Add tests and changelog for UserDAO path traversal fix

* make fix-all

* Fix PHPStan

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
---
 app/Models/UserDAO.php | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'app')

diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php
index 89f8f2a77..d61b5d9c9 100644
--- a/app/Models/UserDAO.php
+++ b/app/Models/UserDAO.php
@@ -49,6 +49,9 @@ class FreshRSS_UserDAO extends Minz_ModelPdo {
 	}
 
 	public static function exists(string $username): bool {
+		if (!FreshRSS_user_Controller::checkUsername($username)) {
+			return false;
+		}
 		return is_dir(USERS_PATH . '/' . $username);
 	}
 
@@ -64,6 +67,9 @@ class FreshRSS_UserDAO extends Minz_ModelPdo {
 
 	/** Time of the last modification action by the user (e.g., mark an article as read) */
 	public static function mtime(string $username): int {
+		if (!FreshRSS_user_Controller::checkUsername($username)) {
+			return 0;
+		}
 		return @filemtime(USERS_PATH . '/' . $username . '/config.php') ?: 0;
 	}
 
@@ -79,6 +85,9 @@ class FreshRSS_UserDAO extends Minz_ModelPdo {
 
 	/** Time of the last new content automatically received by the user (e.g., cron job, WebSub) */
 	public static function ctime(string $username): int {
+		if (!FreshRSS_user_Controller::checkUsername($username)) {
+			return 0;
+		}
 		return @filemtime(USERS_PATH . '/' . $username . '/' . LOG_FILENAME) ?: 0;
 	}
 }
-- 
cgit v1.2.3