Handle correctly symlinked files in server content files
This commit is contained in:
parent
24bcbcb281
commit
5eb44de02d
|
@ -28,8 +28,8 @@ class Statics extends Module
|
||||||
$resource_path = rtrim($real_root_dir, "/") . $request->path;
|
$resource_path = rtrim($real_root_dir, "/") . $request->path;
|
||||||
|
|
||||||
// Check if within the server root
|
// Check if within the server root
|
||||||
// Realpath will translate any '..' in the path
|
// getAbsolutePath will translate any '..' in the path
|
||||||
$realpath = realpath($resource_path);
|
$realpath = self::getAbsolutePath($resource_path);
|
||||||
if ($realpath && strpos($realpath, $real_root_dir) !== 0) {
|
if ($realpath && strpos($realpath, $real_root_dir) !== 0) {
|
||||||
$response->setStatus(Response::STATUS_PERMANENT_FAILURE);
|
$response->setStatus(Response::STATUS_PERMANENT_FAILURE);
|
||||||
$response->setMeta("Invalid location");
|
$response->setMeta("Invalid location");
|
||||||
|
@ -165,4 +165,33 @@ class Statics extends Module
|
||||||
{
|
{
|
||||||
return (bool)(fileperms($file) & self::WORLD_READABLE);
|
return (bool)(fileperms($file) & self::WORLD_READABLE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get an absolute path for a filename
|
||||||
|
*
|
||||||
|
* Translates .. and . to the real locations. The reason I am not using
|
||||||
|
* realpath() to do it is it resolves symlinks
|
||||||
|
*
|
||||||
|
* @param string $path
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public static function getAbsolutePath($path): string
|
||||||
|
{
|
||||||
|
$path = str_replace(array('/', '\\'), DIRECTORY_SEPARATOR, $path);
|
||||||
|
$parts = array_filter(explode(DIRECTORY_SEPARATOR, $path), 'strlen');
|
||||||
|
$absolutes = [];
|
||||||
|
|
||||||
|
foreach ($parts as $part) {
|
||||||
|
if ('.' == $part) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if ('..' == $part) {
|
||||||
|
array_pop($absolutes);
|
||||||
|
} else {
|
||||||
|
$absolutes[] = $part;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return "/" . implode(DIRECTORY_SEPARATOR, $absolutes);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue