From c42c08793b5ecc94fb23d78cec95f2602e02caf0 Mon Sep 17 00:00:00 2001
From: Andrew Nicols <andrew@nicols.co.uk>
Date: Fri, 6 Nov 2020 10:46:02 +0800
Subject: [PATCH] MDL-70130 core: Compare realpaths for file attachment checks

Rather than using the provided path, the `realpath` must be used to
ensure that the use of symlinks in paths is normalised.
---
 lib/moodlelib.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 0a48e9c58a6..ae47df30284 100644
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -6315,7 +6315,8 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '',
             $mimetype = mimeinfo('type', $attachname);
 
             // Before doing the comparison, make sure that the paths are correct (Windows uses slashes in the other direction).
-            $attachpath = str_replace('\\', '/', $attachment);
+            // The absolute (real) path is also fetched to ensure that comparisons to allowed paths are compared equally.
+            $attachpath = str_replace('\\', '/', realpath($attachment));
 
             // Add allowed paths to an array (also check if it's not empty).
             $allowedpaths = array_filter([
-- 
2.17.1