GHSA-w727-595x-pc3r

## Summary The fix for CVE-2026-33509 prevents setting `storage_folder` inside `PKGDIR` or `userdir`, but does NOT protect the Flask session directory (`/tmp/pyLoad/flask`). An authenticated attacker can set `storage_folder` to the session directory and download session files of other users via `/files/get/`, leading to account takeover.

## Details

The fix in `src/pyload/core/api/__init__.py`:

```python directories = [PKGDIR, userdir] if any(directories[0].startswith(d) for d in directories[1:]): return # blocked ```

But the Flask session directory is: ```python session_storage_path = os.path.join(api.get_cachedir(), "flask") # = /tmp/pyLoad/flask ← NOT blocked by fix ```

## Attack Chain

1. Attacker (admin) sets `storage_folder = /tmp/pyLoad/flask` 2. Fix does NOT block this — `/tmp/pyLoad/flask` not inside `PKGDIR` or `userdir` 3. Attacker requests `GET /files/get/<victim_session_filename>` 4. `send_from_directory('/tmp/pyLoad/flask', session_file)` serves victim's session 5. Attacker uses stolen session → **Account Takeover**

## PoC

<img width="592" height="408" alt="POC" src="https://github.com/user-attachments/assets/936b9f56-325b-437d-9edd-e0d5bb995187" />

```python import os

PKGDIR = "/usr/lib/python3/dist-packages/pyload" userdir = os.path.expanduser("~/.pyload") session_dir = "/tmp/pyLoad/flask"

correct_case = lambda x: x directories = [ correct_case(os.path.join(os.path.realpath(d), "")) for d in [session_dir, PKGDIR, userdir] ] blocked = any(directories[0].startswith(d) for d in directories[1:])

print(f"Fix blocks session_dir: {blocked}") # Output: Fix blocks session_dir: False ← BYPASS CONFIRMED ```

## Impact Authenticated admin can steal sessions of other users → Account Takeover.

## Suggested Fix ```python blocked_dirs = [PKGDIR, userdir, api.get_cachedir()] directories = [ os.path.join(os.path.realpath(d), "") for d in [value] + blocked_dirs ] if any(directories[0].startswith(d) for d in directories[1:]): return ```