mirror/moodle-auth_outage
1
0
Fork 0
mirror of https://github.com/catalyst/moodle-auth_outage.git synced 2026-05-16 21:41:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Issue #104 - Allowed symlinks in dataroot, added unit tests.

Browse Source
This commit is contained in:
Daniel Thee Roperto
2017-02-20 12:01:51 +11:00
parent 151d2ba59f
commit 0b17efedba
3 changed files with 150 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
file.php
View File

@@ -60,23 +60,16 @@ header('Accept-Ranges: none');
* @SupressWarnings(PHPMD)
*/
function auth_outage_bootstrap_callback() {
global $CFG;
// We are not using any external libraries or references in this file (cli maintenance is active).
// If you change the path below maybe you need to change maintenance_static_page::get_resources_folder() as well.
$resourcedir = rtrim($CFG->dataroot, '/'); // In case the configuration has a trailing slash.
$resourcedir = $resourcedir.'/auth_outage/climaintenance';
// Protect against path traversal attacks.
$file = $resourcedir.'/'.$_GET['file'];
if (realpath($file) !== $file) {
// Not using classes as classloader has not been initialized yet. Keep it minimalist.
require_once(__DIR__.'/lib.php');
$file = auth_outage_get_climaintenance_resource_file($_GET['file']);
if (is_null($file)) {
// @codingStandardsIgnoreStart
error_log('Invalid file: '.$_GET['file']);
// @codingStandardsIgnoreEnd
http_response_code(404);
die('Not found.');
die('File not found.');
}
readfile($file);
exit(0);
}