Commit 2a1c3e8c authored by anarcat's avatar anarcat Committed by Antoine Beaupre

do not follow symlinks

this is to avoid the possibility of Denial of Service attacks from the drupal admins: if someone were to create a symlink in files/ that would point to the parent sites/ directory, the recursive chmod that happen on verify would loop inifinitely (i saw one running for 1h)
parent 0f051e3c
......@@ -369,7 +369,9 @@ function _provision_mkdir_recursive($path, $mode) {
*/
function _provision_call_recursive($func, $path, $arg) {
$status = 1;
if ($dh = @opendir($path)) {
// do not follow symlinks as it could lead to a DOS attack
// consider someone creating a symlink from files/foo to ..: it would create an infinite loop
if ($dh = @opendir($path) && !is_link($path)) {
while (($file = readdir($dh)) !== false) {
if ($file != '.' && $file != '..') {
$status = _provision_call_recursive($func, $path . "/" . $file, $arg) && $status;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment