From c42c08793b5ecc94fb23d78cec95f2602e02caf0 Mon Sep 17 00:00:00 2001 From: Andrew Nicols Date: Fri, 6 Nov 2020 10:46:02 +0800 Subject: [PATCH] MDL-70130 core: Compare realpaths for file attachment checks Rather than using the provided path, the `realpath` must be used to ensure that the use of symlinks in paths is normalised. --- lib/moodlelib.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 0a48e9c58a6..ae47df30284 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -6315,7 +6315,8 @@ function email_to_user($user, $from, $subject, $messagetext, $messagehtml = '', $mimetype = mimeinfo('type', $attachname); // Before doing the comparison, make sure that the paths are correct (Windows uses slashes in the other direction). - $attachpath = str_replace('\\', '/', $attachment); + // The absolute (real) path is also fetched to ensure that comparisons to allowed paths are compared equally. + $attachpath = str_replace('\\', '/', realpath($attachment)); // Add allowed paths to an array (also check if it's not empty). $allowedpaths = array_filter([ -- 2.43.0