37 lines
1.5 KiB
Text
37 lines
1.5 KiB
Text
Arbitrary files with a known path can be accessed in websvn by committing a
|
|
symlink to a repository and then downloading the file (using the download
|
|
link).
|
|
|
|
Author: Thijs Kinkhorst <thijs@debian.org>
|
|
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
|
|
--- dl.php.orig 2011-06-27 09:02:52 UTC
|
|
+++ dl.php
|
|
@@ -137,6 +137,18 @@ if ($rep) {
|
|
exit(0);
|
|
}
|
|
|
|
+ // For security reasons, disallow direct downloads of filenames that
|
|
+ // are a symlink, since they may be a symlink to anywhere (/etc/passwd)
|
|
+ // Deciding whether the symlink is relative and legal within the
|
|
+ // repository would be nice but seems to error prone at this moment.
|
|
+ if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
|
|
+ header('HTTP/1.x 500 Internal Server Error', true, 500);
|
|
+ error_log('to be downloaded file is symlink, aborting: '.$archiveName);
|
|
+ print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
|
|
+ removeDirectory($tempDir);
|
|
+ exit(0);
|
|
+ }
|
|
+
|
|
// Set timestamp of exported directory (and subdirectories) to timestamp of
|
|
// the revision so every archive of a given revision has the same timestamp.
|
|
$revDate = $logEntry->date;
|
|
@@ -180,7 +192,7 @@ if ($rep) {
|
|
$downloadMimeType = 'application/x-zip';
|
|
$downloadArchive .= '.zip';
|
|
// Create zip file
|
|
- $cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
|
|
+ $cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
|
|
execCommand($cmd, $retcode);
|
|
if ($retcode != 0) {
|
|
error_log('Unable to call zip command: '.$cmd);
|