From 7946dccd5e3d3525e45441a17dbcd44d0bea23ee Mon Sep 17 00:00:00 2001
From: Daniel Thee Roperto <danielroperto@catalyst-au.net>
Date: Wed, 14 Dec 2016 11:06:07 +1100
Subject: [PATCH] Issue #88 - Injection should be prevented in settings even if
 symlinks are used.

---
 classes/local/outagelib.php            | 4 ++--
 tests/phpunit/local/outagelib_test.php | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/classes/local/outagelib.php b/classes/local/outagelib.php
index 26737bb..0597162 100644
--- a/classes/local/outagelib.php
+++ b/classes/local/outagelib.php
@@ -187,8 +187,8 @@ class outagelib {
         }
         self::$injectcalled = true;
 
-        // Do not inject into admin/settings.php, see Issue #65.
-        if ($_SERVER['SCRIPT_FILENAME'] === $CFG->dirroot.'/admin/settings.php') {
+        // Do not inject into admin/settings.php.
+        if ($_SERVER['SCRIPT_NAME'] == '/'.$CFG->admin.'/settings.php') {
             return false;
         }
 
diff --git a/tests/phpunit/local/outagelib_test.php b/tests/phpunit/local/outagelib_test.php
index ab6101c..736f85c 100644
--- a/tests/phpunit/local/outagelib_test.php
+++ b/tests/phpunit/local/outagelib_test.php
@@ -278,7 +278,8 @@ class outagelib_test extends advanced_testcase {
         self::assertEmpty($CFG->additionalhtmltopofbody);
 
         // Pretend we are there...
-        $_SERVER['SCRIPT_FILENAME'] = $CFG->dirroot.'/admin/settings.php';
+        $_SERVER['SCRIPT_FILENAME'] = '/var/www/alternativepath/admin/settings.php'; // Issue #88 regression test.
+        $_SERVER['SCRIPT_NAME'] = '/admin/settings.php';
         outagelib::reinject();
 
         self::assertEmpty($CFG->additionalhtmltopofbody);