MDL-70130 core: Compare realpaths for file attachment checks

author Andrew Nicols <andrew@nicols.co.uk>

Fri, 6 Nov 2020 02:46:02 +0000 (10:46 +0800)

committer Andrew Nicols <andrew@nicols.co.uk>

Fri, 6 Nov 2020 02:54:09 +0000 (10:54 +0800)
author Andrew Nicols <andrew@nicols.co.uk>
Fri, 6 Nov 2020 02:46:02 +0000 (10:46 +0800)
committer Andrew Nicols <andrew@nicols.co.uk>
Fri, 6 Nov 2020 02:54:09 +0000 (10:54 +0800)
diff --git a/lib/moodlelib.php b/lib/moodlelib.php

index 0a48e9c..ae47df3 100644 (file)
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -6315,7 +6315,8 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
              $mimetype = mimeinfo('type', $attachname);
  
              // Before doing the comparison, make sure that the paths are correct (Windows uses slashes in the other direction).
-            $attachpath = str_replace('\\', '/', $attachment);
+            // The absolute (real) path is also fetched to ensure that comparisons to allowed paths are compared equally.
+            $attachpath = str_replace('\\', '/', realpath($attachment));
  
              // Add allowed paths to an array (also check if it's not empty).
              $allowedpaths = array_filter([
author	Andrew Nicols <andrew@nicols.co.uk>
	Fri, 6 Nov 2020 02:46:02 +0000 (10:46 +0800)
committer	Andrew Nicols <andrew@nicols.co.uk>
	Fri, 6 Nov 2020 02:54:09 +0000 (10:54 +0800)