Skip to content

Commit

Permalink
Fix so temp_dir misconfiguration prints an error to the log (#6045)
Browse files Browse the repository at this point in the history
  • Loading branch information
alecpl committed Nov 20, 2017
1 parent 9ce8948 commit 39e0b0e
Showing 2 changed files with 14 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -55,6 +55,7 @@ CHANGELOG Roundcube Webmail
- Fix so links over images are not removed in plain text signatures converted from HTML (#4473)
- Fix various issues when downloading files with names containing non-ascii chars, use RFC 2231 (#5772)
- Fix broken long filenames when using imap4d server - workaround server bug (#6048)
- Fix so temp_dir misconfiguration prints an error to the log (#6045)

RELEASE 1.3.3
-------------
14 changes: 13 additions & 1 deletion plugins/filesystem_attachments/filesystem_attachments.php
Original file line number Diff line number Diff line change
@@ -210,8 +210,20 @@ protected function verify_path($path)
$file_path = pathinfo($path, PATHINFO_DIRNAME);

if ($temp_dir !== $file_path) {
// When the configured directory is not writable, or out of open_basedir path
// tempnam() fallbacks to system temp without a warning.
// We allow that, but we'll let to know the user about the misconfiguration.
if ($file_path == sys_get_temp_dir()) {
rcube::raise_error(array(
'file' => __FILE__,
'line' => __LINE__,
'message' => "Detected 'temp_dir' change. Access to '$temp_dir' restricted by filesystem permissions or open_basedir",
), true, false);

return true;
}

rcube::raise_error(array(
'code' => 403,
'file' => __FILE__,
'line' => __LINE__,
'message' => sprintf("%s can't read %s (not in temp_dir)",

0 comments on commit 39e0b0e

Please sign in to comment.