1e0ac3f
diff -ur oud/dl.php nieuw/dl.php
1e0ac3f
--- oud/dl.php	2015-01-18 16:03:30.688791512 +0100
1e0ac3f
+++ nieuw/dl.php	2015-01-18 16:27:00.950897749 +0100
1e0ac3f
@@ -137,6 +137,18 @@
1e0ac3f
 		exit(0);
1e0ac3f
 	}
1e0ac3f
 
1e0ac3f
+	// For security reasons, disallow direct downloads of filenames that
1e0ac3f
+	// are a symlink, since they may be a symlink to anywhere (/etc/passwd)
1e0ac3f
+	// Deciding whether the symlink is relative and legal within the
1e0ac3f
+	// repository would be nice but seems to error prone at this moment.
1e0ac3f
+	if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
1e0ac3f
+		header('HTTP/1.x 500 Internal Server Error', true, 500);
1e0ac3f
+		error_log('to be downloaded file is symlink, aborting: '.$archiveName);
1e0ac3f
+		print 'Download of symlinks disallowed: "'.xml_entities($archiveName).'".';
1e0ac3f
+		removeDirectory($tempDir);
1e0ac3f
+		exit(0);
1e0ac3f
+	}
1e0ac3f
+
1e0ac3f
 	// Set timestamp of exported directory (and subdirectories) to timestamp of
1e0ac3f
 	// the revision so every archive of a given revision has the same timestamp.
1e0ac3f
 	$revDate = $logEntry->date;
1e0ac3f
@@ -180,7 +192,7 @@
1e0ac3f
 		$downloadMimeType = 'application/x-zip';
1e0ac3f
 		$downloadArchive .= '.zip';
1e0ac3f
 		// Create zip file
1e0ac3f
-		$cmd = $config->zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
1e0ac3f
+		$cmd = $config->zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
1e0ac3f
 		execCommand($cmd, $retcode);
1e0ac3f
 		if ($retcode != 0) {
1e0ac3f
 			error_log('Unable to call zip command: '.$cmd);