mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-15 05:25:08 +02:00
Code Issues Projects Releases Wiki Activity

MDL-48929 repository_filesystem: Valide relative path against realpath

Browse Source 
On Windows systems, there could have been a mix of back and forward
slashes, causing the validation of the relative path to fail. Now
we will always get the realpath before comparing.
This commit is contained in:
Nelson Moller 2015-01-22 08:57:54 -05:00 committed by Frederic Massart
parent da0ef2e4cf
commit 413907cff3
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
repository/filesystem/lib.php
View File

@ -575,7 +575,7 @@ class repository_filesystem extends repository {
$fullrelativefilepath = realpath($this->get_rootpath().$basepath.$relativepath);
// Sanity check to make sure this path is inside this repository and the file exists.
if (strpos($fullrelativefilepath, $this->get_rootpath()) === 0 && file_exists($fullrelativefilepath)) {
if (strpos($fullrelativefilepath, realpath($this->get_rootpath())) === 0 && file_exists($fullrelativefilepath)) {
send_file($fullrelativefilepath, basename($relativepath), null, 0);
}
}
@ -665,4 +665,4 @@ function repository_filesystem_cron() {
$instances[$itemid]->remove_obsolete_thumbnails($files);
}
}
}
}