allowSymlinks in /lib/private/Files/Storage/Local.php #1257

Closed
Pecadis opened this Issue Sep 4, 2016 · 18 comments

Comments

Projects
None yet
@Pecadis

Pecadis commented Sep 4, 2016

Hi,

i just want to know why you added this variable to prevent the system to follow Symbolic links. I coldn't see a override option to do it directly in the config.php file.

My case why i want to know it is the following.
I have a Samba AD up and running where the HomeDrive of each user is located on a Disk.
My NC server is validationg the User with the Ldap component and mounting the User Directories on /mnt/userdir/
The /www/data/Exampleuser folder has a symlink to /mnt/userdir/Exampleuser.

With your code to prevent NC to follow symlinks, i'm not able to access those files anymore.

I don't need a solution for that atm but i just want to know why you've decide this way.

Thanks
Pecadis

@icewind1991

This comment has been minimized.

Show comment
Hide comment
@icewind1991

icewind1991 Sep 7, 2016

Member

Allowing symlinks creates a security issue since it allows users to gain access to files outside of their home directory with the access rights of the web server if they have the ability to create symlinks themselves.

The proper solution for your usecase seems to be using the ldap "User Home Folder Naming Rule" to have Nextcloud use /mnt/userdir/Exampleuser in the first place

Member

icewind1991 commented Sep 7, 2016

Allowing symlinks creates a security issue since it allows users to gain access to files outside of their home directory with the access rights of the web server if they have the ability to create symlinks themselves.

The proper solution for your usecase seems to be using the ldap "User Home Folder Naming Rule" to have Nextcloud use /mnt/userdir/Exampleuser in the first place

@nickvergessen

This comment has been minimized.

Show comment
Hide comment
@nickvergessen

nickvergessen Sep 28, 2016

Member

Closing as per above

Member

nickvergessen commented Sep 28, 2016

Closing as per above

@h-2

This comment has been minimized.

Show comment
Hide comment
@h-2

h-2 Oct 14, 2016

Allowing symlinks creates a security issue since it allows users to gain access to files outside of their home directory with the access rights of the web server if they have the ability to create symlinks themselves.

From my point of view, these are two different things. You can follow symlinks created by the system administrator and still prevent users from creating new ones. How is this related? Why is the first one being prevented? It broke my setup 😢

Thanks!

h-2 commented Oct 14, 2016

Allowing symlinks creates a security issue since it allows users to gain access to files outside of their home directory with the access rights of the web server if they have the ability to create symlinks themselves.

From my point of view, these are two different things. You can follow symlinks created by the system administrator and still prevent users from creating new ones. How is this related? Why is the first one being prevented? It broke my setup 😢

Thanks!

@cgrima

This comment has been minimized.

Show comment
Hide comment
@cgrima

cgrima Oct 27, 2016

Agreed with h-2. He does not ask for the ability of a user to create symlinks, but he wants NC to follow symlinks created by the administrator through a UNIX-like system.
See #1927 for additional description and use cases.

cgrima commented Oct 27, 2016

Agreed with h-2. He does not ask for the ability of a user to create symlinks, but he wants NC to follow symlinks created by the administrator through a UNIX-like system.
See #1927 for additional description and use cases.

@Pecadis

This comment has been minimized.

Show comment
Hide comment
@Pecadis

Pecadis Oct 27, 2016

thank you @cgrima for the deeper explanation. looks like i was not clear enough.

@nickvergessen or @icewind1991 could you explain the reccomend way to implement this kind of feature without hitting your security rules?

Pecadis commented Oct 27, 2016

thank you @cgrima for the deeper explanation. looks like i was not clear enough.

@nickvergessen or @icewind1991 could you explain the reccomend way to implement this kind of feature without hitting your security rules?

@tavinus

This comment has been minimized.

Show comment
Hide comment
@tavinus

tavinus Nov 28, 2016

Changing the variable $allowSymlinks to true does seem to work.
Not too sure about the vulnerabilities though.

Changed: /lib/private/Files/Storage/Local.php

In:

class Local extends \OC\Files\Storage\Common {
	protected $datadir;
	protected $dataDirLength;
	protected $allowSymlinks = false;
...

To:

	protected $allowSymlinks = true;

And I can see my symlinks contents (had to remove and re-add my external storage that has symlinks).

I don't care too much about other users, since this install only offer access to admins.

I dislike the fact that I had to change core files though, and that it will be lost with an update. But well, I will probably remove the external storages before updating anyways.

I wonder if allowing symlinks can not be set at the config.php file, would be nice.

PS: I have no option in this case, since the symlinks are crucial to this specific use case.

tavinus commented Nov 28, 2016

Changing the variable $allowSymlinks to true does seem to work.
Not too sure about the vulnerabilities though.

Changed: /lib/private/Files/Storage/Local.php

In:

class Local extends \OC\Files\Storage\Common {
	protected $datadir;
	protected $dataDirLength;
	protected $allowSymlinks = false;
...

To:

	protected $allowSymlinks = true;

And I can see my symlinks contents (had to remove and re-add my external storage that has symlinks).

I don't care too much about other users, since this install only offer access to admins.

I dislike the fact that I had to change core files though, and that it will be lost with an update. But well, I will probably remove the external storages before updating anyways.

I wonder if allowing symlinks can not be set at the config.php file, would be nice.

PS: I have no option in this case, since the symlinks are crucial to this specific use case.

@tx7

This comment has been minimized.

Show comment
Hide comment
@tx7

tx7 Dec 14, 2016

I'm not using symlink, but external storage that I reshare the shared folder to other users.
I having the same error in NC v11.0.

`fwrite() expects parameter 2 to be string, array given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php#230

stream_get_contents() expects parameter 2 to be long, string given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/3rdparty/sabre/http/lib/Message.php#81

imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597

fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218`

tx7 commented Dec 14, 2016

I'm not using symlink, but external storage that I reshare the shared folder to other users.
I having the same error in NC v11.0.

`fwrite() expects parameter 2 to be string, array given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php#230

stream_get_contents() expects parameter 2 to be long, string given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/3rdparty/sabre/http/lib/Message.php#81

imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597

fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218`

strukturag-service pushed a commit to spreedbox-packaging/nextcloud-debian that referenced this issue Feb 2, 2017

@tx7

This comment has been minimized.

Show comment
Hide comment
@tx7

tx7 Feb 26, 2017

I'm on NC 11.0.2, and still have the same issue.

Whenever I play my mp3 files, I get the errors.

Audio Player v1.4.1

imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597	5 minutes ago
Error	PHP	fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218	5 minutes ago
Error	PHP	fread() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#217	5 minutes ago
Error	PHP	fopen(/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg): failed to open stream: No such file or directory at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#216	5 minutes ago
Error	PHP	filesize(): stat failed for /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#211	5 minutes ago
Error	PHP	imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597	5 minutes ago
Error	PHP	fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218	5 minutes ago
Error	PHP	fread() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#217	5 minutes ago
Error	PHP	fopen(/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg): failed to open stream: No such file or directory at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#216	5 minutes ago
Error	PHP	filesize(): stat failed for /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#211
Error	PHP	imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597	a few seconds ago
Error	PHP	fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218	a few seconds ago
Error	PHP	fread() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#217	a few seconds ago
Error	PHP	fopen(/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg): failed to open stream: No such file or directory at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#216	a few seconds ago
Error	PHP	filesize(): stat failed for /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#211	a few seconds ago
Error	PHP	imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597	a few seconds ago
Error	PHP	fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218	a few seconds ago
Error	PHP	fread() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#217	a few seconds ago
Error	PHP	fopen(/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg): failed to open stream: No such file or directory at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#216	a few seconds ago
Error	PHP	filesize(): stat failed for /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#211

tx7 commented Feb 26, 2017

I'm on NC 11.0.2, and still have the same issue.

Whenever I play my mp3 files, I get the errors.

Audio Player v1.4.1

imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597	5 minutes ago
Error	PHP	fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218	5 minutes ago
Error	PHP	fread() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#217	5 minutes ago
Error	PHP	fopen(/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg): failed to open stream: No such file or directory at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#216	5 minutes ago
Error	PHP	filesize(): stat failed for /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#211	5 minutes ago
Error	PHP	imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597	5 minutes ago
Error	PHP	fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218	5 minutes ago
Error	PHP	fread() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#217	5 minutes ago
Error	PHP	fopen(/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg): failed to open stream: No such file or directory at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#216	5 minutes ago
Error	PHP	filesize(): stat failed for /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#211
Error	PHP	imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597	a few seconds ago
Error	PHP	fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218	a few seconds ago
Error	PHP	fread() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#217	a few seconds ago
Error	PHP	fopen(/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg): failed to open stream: No such file or directory at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#216	a few seconds ago
Error	PHP	filesize(): stat failed for /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#211	a few seconds ago
Error	PHP	imagecreatefromstring(): Empty string or invalid image at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/legacy/image.php#597	a few seconds ago
Error	PHP	fclose() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#218	a few seconds ago
Error	PHP	fread() expects parameter 1 to be resource, boolean given at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#217	a few seconds ago
Error	PHP	fopen(/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg): failed to open stream: No such file or directory at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#216	a few seconds ago
Error	PHP	filesize(): stat failed for /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/data/tx7/files/media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/core/img/filetypes/audio.svg at /media/54bf67db-da31-4c50-bb3c-27140944b223/www/nextcloud/lib/private/Files/Storage/Local.php#211
@fliiiix

This comment has been minimized.

Show comment
Hide comment
@fliiiix

fliiiix Apr 16, 2017

I need this feature because of limitations of my OS I have some symlinks and it would be nice if nexcloud would follow them. I think this should be possible to follow symlinks and disallow user to upload symlinks.

fliiiix commented Apr 16, 2017

I need this feature because of limitations of my OS I have some symlinks and it would be nice if nexcloud would follow them. I think this should be possible to follow symlinks and disallow user to upload symlinks.

@quamis

This comment has been minimized.

Show comment
Hide comment
@quamis

quamis Oct 6, 2017

The reporter said that it would be useful to follow sylinks, not create them. Creating symlinks would be a security concern indeed, but following them would allow the server admin to better organize the internal storage, and maybe optimize parts of the storage.

In my case, I ran out of space in the data dir, I cannot add more storage (running on an ARM system, only one SATA port, cannot afford to buy a new HDD & reinstall everything). I had to insert one USB drive and move "slow-changing" parts of the data-dir to the USB drive, and symlink them.

quamis commented Oct 6, 2017

The reporter said that it would be useful to follow sylinks, not create them. Creating symlinks would be a security concern indeed, but following them would allow the server admin to better organize the internal storage, and maybe optimize parts of the storage.

In my case, I ran out of space in the data dir, I cannot add more storage (running on an ARM system, only one SATA port, cannot afford to buy a new HDD & reinstall everything). I had to insert one USB drive and move "slow-changing" parts of the data-dir to the USB drive, and symlink them.

@tx7

This comment has been minimized.

Show comment
Hide comment
@tx7

tx7 Oct 7, 2017

I no longer have this issue in NC v12.

tx7 commented Oct 7, 2017

I no longer have this issue in NC v12.

@quamis

This comment has been minimized.

Show comment
Hide comment
@quamis

quamis Oct 7, 2017

I have 12.0.3, and used to get Following symlinks is not allowed in the logs, before altering Local.php, as @tavinus suggested above. The current source code still disallows symlinks (https://github.com/nextcloud/server/blob/master/lib/private/Files/Storage/Local.php)

What you ( @tx7 ) reported above, seems like a different problem. You got missing files, related to the audio player, not symlink related problems.

quamis commented Oct 7, 2017

I have 12.0.3, and used to get Following symlinks is not allowed in the logs, before altering Local.php, as @tavinus suggested above. The current source code still disallows symlinks (https://github.com/nextcloud/server/blob/master/lib/private/Files/Storage/Local.php)

What you ( @tx7 ) reported above, seems like a different problem. You got missing files, related to the audio player, not symlink related problems.

@Salzi

This comment has been minimized.

Show comment
Hide comment
@Salzi

Salzi Oct 13, 2017

A soulution could be to have a checkbox in the admin settings for external storage where the admin can choose to follow symlinks?

Salzi commented Oct 13, 2017

A soulution could be to have a checkbox in the admin settings for external storage where the admin can choose to follow symlinks?

@RichieB2B

This comment has been minimized.

Show comment
Hide comment
@RichieB2B

RichieB2B Nov 17, 2017

Even though allowing symlinks should be configurable IMHO there is an easy work around. Using bind mounts (Linux) or nullfs mounts (BSD):

mkdir /var/www/nextcloud/data/username/files/mydir
mount --bind /path/to/mydir /var/www/nextcloud/data/username/files/mydir

This way Nextcloud will not see mydir as a symbolic link even though the data really resides somewhere else on the file system.

Even though allowing symlinks should be configurable IMHO there is an easy work around. Using bind mounts (Linux) or nullfs mounts (BSD):

mkdir /var/www/nextcloud/data/username/files/mydir
mount --bind /path/to/mydir /var/www/nextcloud/data/username/files/mydir

This way Nextcloud will not see mydir as a symbolic link even though the data really resides somewhere else on the file system.

@fliiiix

This comment has been minimized.

Show comment
Hide comment
@fliiiix

fliiiix Nov 18, 2017

@RichieB2B That was something what I initially have tried on FreeBSD but without longer mount paths this is quite hard https://lists.freebsd.org/pipermail/freebsd-fs/2017-April/024684.html and this will probably be FreeBSD 12 or something

fliiiix commented Nov 18, 2017

@RichieB2B That was something what I initially have tried on FreeBSD but without longer mount paths this is quite hard https://lists.freebsd.org/pipermail/freebsd-fs/2017-April/024684.html and this will probably be FreeBSD 12 or something

@Salzi

This comment has been minimized.

Show comment
Hide comment
@Salzi

Salzi Dec 8, 2017

The solution from @tavinus works still with nextcloud 12.0.4 but the integrity test for that file fails. Which is a bit annoying

And yes symlinks are still not allowed in 13 (beta) :-(

Salzi commented Dec 8, 2017

The solution from @tavinus works still with nextcloud 12.0.4 but the integrity test for that file fails. Which is a bit annoying

And yes symlinks are still not allowed in 13 (beta) :-(

@tavinus

This comment has been minimized.

Show comment
Hide comment
@tavinus

tavinus Dec 11, 2017

Since following symlinks already work, all that is needed is a way to set the symlink flag at runtime through configuration.

That is the easy part, just need setter/getter for the $Local->allowSymlinks property and a way to configure it (config.php or admin/storage page).

All of that is still kind of easy, even though I didn't notice anyone making a PR for it.

I am guessing that the reason no one did this is because it makes easier for people to do something that can be harmful.

To do it properly, one should test the vulnerabilities and try to implement countermeasures to it (if possible). Even so, there should be a disclaimer message on the problems and risks about turning symlinks on.

I still only have THAT ONE install running with this hack and that is a low priority / low traffic server. It is hard to deny that a lot of people need/want this though.

tavinus commented Dec 11, 2017

Since following symlinks already work, all that is needed is a way to set the symlink flag at runtime through configuration.

That is the easy part, just need setter/getter for the $Local->allowSymlinks property and a way to configure it (config.php or admin/storage page).

All of that is still kind of easy, even though I didn't notice anyone making a PR for it.

I am guessing that the reason no one did this is because it makes easier for people to do something that can be harmful.

To do it properly, one should test the vulnerabilities and try to implement countermeasures to it (if possible). Even so, there should be a disclaimer message on the problems and risks about turning symlinks on.

I still only have THAT ONE install running with this hack and that is a low priority / low traffic server. It is hard to deny that a lot of people need/want this though.

@Salzi

This comment has been minimized.

Show comment
Hide comment
@Salzi

Salzi Dec 11, 2017

@tavinus The technical side is just one thing. The other is that the nextcloud devs doesn't want such a feature. Why should someone invest time to develop (and test!) such a feature if it wouldn't be accepted in the end. As long as no nextcould dev admit to this it makes no sense.

Salzi commented Dec 11, 2017

@tavinus The technical side is just one thing. The other is that the nextcloud devs doesn't want such a feature. Why should someone invest time to develop (and test!) such a feature if it wouldn't be accepted in the end. As long as no nextcould dev admit to this it makes no sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment