Commit 2a1c3e8c authored by anarcat's avatar anarcat Committed by Antoine Beaupre
Browse files

do not follow symlinks

this is to avoid the possibility of Denial of Service attacks from the drupal admins: if someone were to create a symlink in files/ that would point to the parent sites/ directory, the recursive chmod that happen on verify would loop inifinitely (i saw one running for 1h)
parent 0f051e3c
......@@ -369,7 +369,9 @@ function _provision_mkdir_recursive($path, $mode) {
*/
function _provision_call_recursive($func, $path, $arg) {
$status = 1;
if ($dh = @opendir($path)) {
// do not follow symlinks as it could lead to a DOS attack
// consider someone creating a symlink from files/foo to ..: it would create an infinite loop
if ($dh = @opendir($path) && !is_link($path)) {
while (($file = readdir($dh)) !== false) {
if ($file != '.' && $file != '..') {
$status = _provision_call_recursive($func, $path . "/" . $file, $arg) && $status;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment