Minify arbitrary file disclosure
Description
Minify versions prior to 2.1.7 are vulnerable to arbitrary file disclosure due to improper handling of null byte characters in file system operations. When PHP's file system functions receive parameters containing null bytes (\x00), they may truncate the string at the null byte, allowing attackers to bypass file extension checks and path restrictions. This enables unauthorized access to sensitive files within the document root that are normally protected from direct web access, such as configuration files containing database credentials or API keys.
Remediation
Immediately upgrade to Minify version 2.1.7 or later, which addresses this null byte injection vulnerability. If immediate upgrading is not possible, apply the following temporary mitigations:
1. Implement input validation to reject any file paths containing null bytes before processing:
if (strpos($filePath, "\0") !== false) {
throw new Exception('Invalid file path');
}2. Use realpath() to canonicalize file paths and verify they remain within the intended directory:
$realPath = realpath($filePath);
if ($realPath === false || strpos($realPath, $allowedDir) !== 0) {
throw new Exception('Access denied');
}3. Restrict file system permissions to limit PHP's access to only necessary files and directories.
4. Monitor web server logs for suspicious requests containing encoded null bytes (%00) in URL parameters.