From 537b274b4c50b6d5a28c140d48e955466173b7dc Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Fri, 8 Mar 2024 09:23:21 +0100
Subject: [PATCH] correctly validate if a symlink is within the customers
 home-directory if it's not an absolute path; fixes #1242

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 lib/Froxlor/FileDir.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/Froxlor/FileDir.php b/lib/Froxlor/FileDir.php
index acb8fb9a58..0b3b529adb 100644
--- a/lib/Froxlor/FileDir.php
+++ b/lib/Froxlor/FileDir.php
@@ -140,6 +140,12 @@ public static function makeCorrectDir(string $dir, string $fixed_homedir = ""):
 					if (is_link($check_dir)) {
 						$original_target = $check_dir;
 						$check_dir = readlink($check_dir);
+						$link_dir = dirname($original_target);
+						// check whether the link is relative or absolute
+						if (substr($check_dir, 0, 1) != '/') {
+							// relative directory, prepend link_dir
+							$check_dir = $link_dir . '/' . $check_dir;
+						}
 						if (substr($check_dir, 0, strlen($fixed_homedir)) != $fixed_homedir) {
 							throw new Exception("Found symlink pointing outside of customer home directory: " . substr($original_target, strlen($fixed_homedir)));
 						}
@@ -287,7 +293,7 @@ public static function getUnknownDomainTemplate(string $servername = "")
 				$tpl_content = lng('admin.templates.unconfigured_content_fallback');
 			}
 		}
-		$redirect_file = FileDir::makeCorrectFile(Froxlor::getInstallDir().'/notice.'.$tpl_ext);
+		$redirect_file = FileDir::makeCorrectFile(Froxlor::getInstallDir() . '/notice.' . $tpl_ext);
 		file_put_contents($redirect_file, $tpl_content);
 		return basename($redirect_file);
 	}