mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-20 16:04:25 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'MDL-70163' of git://github.com/paulholden/moodle

Browse Source
This commit is contained in:
Sara Arjona 2021-02-03 12:25:28 +01:00
commit 3abda98a2d
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/moodlelib.php
View File

@ -6295,8 +6295,10 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
// The absolute (real) path is also fetched to ensure that comparisons to allowed paths are compared equally.
$attachpath = str_replace('\\', '/', realpath($attachment));
// Add allowed paths to an array (also check if it's not empty).
$allowedpaths = array_filter([
// Build an array of all filepaths from which attachments can be added (normalised slashes, absolute/real path).
$allowedpaths = array_map(function(string $path): string {
return str_replace('\\', '/', realpath($path));
}, [
$CFG->cachedir,
$CFG->dataroot,
$CFG->dirroot,
@ -6304,12 +6306,12 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
$CFG->tempdir,
$CFG->localrequestdir,
]);
// Set addpath to true.
$addpath = true;
// Check if attachment includes one of the allowed paths.
foreach ($allowedpaths as $allowedpath) {
// Make sure both variables are normalised before comparing.
$allowedpath = str_replace('\\', '/', realpath($allowedpath));
foreach (array_filter($allowedpaths) as $allowedpath) {
// Set addpath to false if the attachment includes one of the allowed paths.
if (strpos($attachpath, $allowedpath) === 0) {
$addpath = false;