Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/phpmyadmin/phpmyadmin.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/import.php
diff options
context:
space:
mode:
authorMichal Čihař <michal@cihar.com>2016-07-12 13:47:35 +0300
committerMichal Čihař <michal@cihar.com>2016-07-12 13:47:35 +0300
commitab05803a4257c12ee75c3cf1cbc941b3ab1dcf7e (patch)
treee19df9030ab9c65af5bffe8a910f0c0f528d9c0d /import.php
parent41684ff1a1fe2380c93fc3a0bf2d68ceb81b55e5 (diff)
Do not allow symlinks in UploadDir
Signed-off-by: Michal Čihař <michal@cihar.com>
Diffstat (limited to 'import.php')
-rw-r--r--import.php11
1 files changed, 10 insertions, 1 deletions
diff --git a/import.php b/import.php
index d21c13af3e..90b15554b9 100644
--- a/import.php
+++ b/import.php
@@ -123,7 +123,7 @@ if ($_POST == array() && $_GET == array()) {
*/
if (! in_array(
- $format,
+ $format,
array(
'csv',
'ldi',
@@ -338,6 +338,15 @@ if (! empty($local_import_file) && ! empty($cfg['UploadDir'])) {
$import_file = PMA_Util::userDir($cfg['UploadDir'])
. $local_import_file;
+ /*
+ * Do not allow symlinks to avoid security issues
+ * (user can create symlink to file he can not access,
+ * but phpMyAdmin can).
+ */
+ if (is_link($import_file)) {
+ $import_file = 'none';
+ }
+
} elseif (empty($import_file) || ! is_uploaded_file($import_file)) {
$import_file = 'none';
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-25 13:51:32 +0300