Permalink
Browse files

MDL-34939: Fix clamdscan permissions-related issues

Use --fdpass parameter that passes the file descriptor permissions to clamd,
which allows to scan given file irrespective of directory and file
permissions. Changing file permissions is not required.
  • Loading branch information...
1 parent 7112729 commit ef7dd02cc7df9d003d7d226cbc0aee44d6bcc9b5 @kabalin kabalin committed Apr 15, 2013
Showing with 10 additions and 9 deletions.
  1. +10 −4 repository/lib.php
  2. +0 −5 repository/upload/lib.php
View
@@ -1143,11 +1143,17 @@ public static function antivir_scan_file($thefile, $filename, $deleteinfected) {
return;
}
- // do NOT mess with permissions here, the calling party is responsible for making
- // sure the scanner engine can access the files!
-
+ $clamparam = ' --stdout ';
+ // If we are dealing with clamdscan, clamd is likely run as a different user
+ // that might not have permissions to access your file.
+ // To make clamdscan work, we use --fdpass parameter that passes the file
+ // descriptor permissions to clamd, which allows it to scan given file
+ // irrespective of directory and file permissions.
+ if (basename($CFG->pathtoclam) == 'clamdscan') {
+ $clamparam .= '--fdpass ';
+ }
// execute test
- $cmd = escapeshellcmd($CFG->pathtoclam).' --stdout '.escapeshellarg($thefile);
+ $cmd = escapeshellcmd($CFG->pathtoclam).$clamparam.escapeshellarg($thefile);
exec($cmd, $output, $return);
if ($return == 0) {
@@ -141,12 +141,7 @@ public function process_upload($saveas_filename, $maxbytes, $types = '*', $savep
}
}
- // scan the files, throws exception and deletes if virus found
- // this is tricky because clamdscan daemon might not be able to access the files
- $permissions = fileperms($_FILES[$elname]['tmp_name']);
- @chmod($_FILES[$elname]['tmp_name'], $CFG->filepermissions);
self::antivir_scan_file($_FILES[$elname]['tmp_name'], $_FILES[$elname]['name'], true);
- @chmod($_FILES[$elname]['tmp_name'], $permissions);
// {@link repository::build_source_field()}
$sourcefield = $this->get_file_source_info($_FILES[$elname]['name']);

0 comments on commit ef7dd02

Please sign in to comment.