From 123e48a696de1e2f63ab519d4730eb3b87beaa58 Mon Sep 17 00:00:00 2001
From: brandonkelly <brandon@pixelandtonic.com>
Date: Wed, 11 Sep 2024 16:44:23 +0200
Subject: [PATCH] Fixed an RCE vulnerability

---
 CHANGELOG.md               | 1 +
 src/helpers/FileHelper.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2d2ae6dc787..a16099630f9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Updated Twig to 3.14. ([#15704](https://github.com/craftcms/cms/issues/15704))
+- Fixed an RCE vulnerability.
 
 ## 4.12.1 - 2024-09-06
 
diff --git a/src/helpers/FileHelper.php b/src/helpers/FileHelper.php
index 0c2da884a79..85cf38183f4 100644
--- a/src/helpers/FileHelper.php
+++ b/src/helpers/FileHelper.php
@@ -133,7 +133,7 @@ public static function absolutePath(
             $from = static::absolutePath($from, ds: $ds);
         }
 
-        return $from . $ds . $to;
+        return static::normalizePath($from . $ds . $to, $ds);
     }
 
     /**