From ab05803a4257c12ee75c3cf1cbc941b3ab1dcf7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Tue, 12 Jul 2016 12:47:35 +0200
Subject: [PATCH] Do not allow symlinks in UploadDir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michal Čihař <michal@cihar.com>
---
 import.php                     | 11 ++++++++++-
 libraries/File.class.php       |  5 +++++
 libraries/file_listing.lib.php |  1 +
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/import.php b/import.php
index d21c13af3eb3..90b15554b988 100644
--- a/import.php
+++ b/import.php
@@ -123,7 +123,7 @@
  */
 
 if (! in_array(
-    $format, 
+    $format,
     array(
         'csv',
         'ldi',
@@ -338,6 +338,15 @@
     $import_file = PMA_Util::userDir($cfg['UploadDir'])
         . $local_import_file;
 
+    /*
+     * Do not allow symlinks to avoid security issues
+     * (user can create symlink to file he can not access,
+     * but phpMyAdmin can).
+     */
+    if (is_link($import_file)) {
+        $import_file  = 'none';
+    }
+
 } elseif (empty($import_file) || ! is_uploaded_file($import_file)) {
     $import_file  = 'none';
 }
diff --git a/libraries/File.class.php b/libraries/File.class.php
index 62b87637cf4a..721b9d0bab75 100644
--- a/libraries/File.class.php
+++ b/libraries/File.class.php
@@ -428,6 +428,11 @@ public function setLocalSelectedFile($name)
         $this->setName(
             PMA_Util::userDir($GLOBALS['cfg']['UploadDir']) . PMA_securePath($name)
         );
+        if (is_link($this->getName())) {
+            $this->_error_message = __('File is a symbolic link');
+            $this->setName(null);
+            return false;
+        }
         if (! $this->isReadable()) {
             $this->_error_message = __('File could not be read');
             $this->setName(null);
diff --git a/libraries/file_listing.lib.php b/libraries/file_listing.lib.php
index e5b680c2caf0..5c660a3e254d 100644
--- a/libraries/file_listing.lib.php
+++ b/libraries/file_listing.lib.php
@@ -30,6 +30,7 @@ function PMA_getDirContent($dir, $expression = '')
             if ('.' != $file
                 && '..' != $file
                 && is_file($dir . $file)
+                && ! is_link($dir . $file)
                 && ($expression == '' || preg_match($expression, $file))
             ) {
                 $result[] = $file;