Do not allow symlinks in UploadDir

Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Jul 12, 2016 · ab05803 · ab05803
1 parent 41684ff
commit ab05803
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/import.php b/import.php
@@ -123,7 +123,7 @@
  */
 
 if (! in_array(
-    $format, 
+    $format,
     array(
         'csv',
         'ldi',
@@ -338,6 +338,15 @@
     $import_file = PMA_Util::userDir($cfg['UploadDir'])
         . $local_import_file;
 
+    /*
+     * Do not allow symlinks to avoid security issues
+     * (user can create symlink to file he can not access,
+     * but phpMyAdmin can).
+     */
+    if (is_link($import_file)) {
+        $import_file  = 'none';
+    }
+
 } elseif (empty($import_file) || ! is_uploaded_file($import_file)) {
     $import_file  = 'none';
 }

diff --git a/libraries/File.class.php b/libraries/File.class.php
@@ -428,6 +428,11 @@ public function setLocalSelectedFile($name)
         $this->setName(
             PMA_Util::userDir($GLOBALS['cfg']['UploadDir']) . PMA_securePath($name)
         );
+        if (is_link($this->getName())) {
+            $this->_error_message = __('File is a symbolic link');
+            $this->setName(null);
+            return false;
+        }
         if (! $this->isReadable()) {
             $this->_error_message = __('File could not be read');
             $this->setName(null);

diff --git a/libraries/file_listing.lib.php b/libraries/file_listing.lib.php
@@ -30,6 +30,7 @@ function PMA_getDirContent($dir, $expression = '')
             if ('.' != $file
                 && '..' != $file
                 && is_file($dir . $file)
+                && ! is_link($dir . $file)
                 && ($expression == '' || preg_match($expression, $file))
             ) {
                 $result[] = $file;