Merge pull request #424 from greezybacon/issue/361

Make using `realpath` safer

Reviewed-By: Peter Rotich <peter@osticket.com>

api/cron.php

@@ -13,7 +13,7 @@
 
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
-@chdir(realpath(dirname(__FILE__)).'/'); //Change dir.
+@chdir(dirname(__FILE__).'/'); //Change dir.
 require('api.inc.php');
 
 if (!osTicket::is_cli())

api/pipe.php

@@ -15,7 +15,7 @@
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 ini_set('memory_limit', '256M'); //The concern here is having enough mem for emails with attachments.
-@chdir(realpath(dirname(__FILE__)).'/'); //Change dir.
+@chdir(dirname(__FILE__).'/'); //Change dir.
 require('api.inc.php');
 
 //Only local piping supported via pipe.php

bootstrap.php

@@ -261,7 +261,11 @@ class Bootstrap {
 }
 
 #Get real path for root dir ---linux and windows
-define('ROOT_DIR',str_replace('\\', '/', realpath(dirname(__FILE__))).'/');
+$here = dirname(__FILE__);
+$here = ($h = realpath($here)) ? $h : $here;
+define('ROOT_DIR',str_replace('\\', '/', $here.'/'));
+unset($here); unset($h);
+
 define('INCLUDE_DIR',ROOT_DIR.'include/'); //Change this if include is moved outside the web path.
 define('PEAR_DIR',INCLUDE_DIR.'pear/');
 define('SETUP_DIR',ROOT_DIR.'setup/');

client.inc.php

@@ -15,7 +15,7 @@
 **********************************************************************/
 if(!strcasecmp(basename($_SERVER['SCRIPT_NAME']),basename(__FILE__))) die('kwaheri rafiki!');
 
-$thisdir=str_replace('\\', '/', realpath(dirname(__FILE__))).'/';
+$thisdir=str_replace('\\', '/', dirname(__FILE__)).'/';
 if(!file_exists($thisdir.'main.inc.php')) die('Fatal Error.');
 
 require_once($thisdir.'main.inc.php');

include/class.i18n.php

@@ -150,7 +150,7 @@ class DataTemplate {
         foreach ($langs as $l) {
             if (file_exists("{$this->base}/$l/$path")) {
                 $this->lang = $l;
-                $this->filepath = realpath("{$this->base}/$l/$path");
+                $this->filepath = Misc::realpath("{$this->base}/$l/$path");
                 break;
             }
         }

include/class.misc.php

@@ -139,5 +139,10 @@ class Misc {
         return $output;
     }
 
+    function realpath($path) {
+        $rp = realpath($path);
+        return $rp ? $rp : $path;
+    }
+
 }
 ?>

include/class.pdf.php

@@ -14,7 +14,7 @@
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
 
-define('THIS_DIR', str_replace('\\', '/', realpath(dirname(__FILE__))) . '/'); //Include path..
+define('THIS_DIR', str_replace('\\', '/', Misc::realpath(dirname(__FILE__))) . '/'); //Include path..
 
 require_once(INCLUDE_DIR.'mpdf/mpdf.php');
 

pages/index.php

@@ -14,7 +14,7 @@
 
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
-@chdir(realpath(dirname(__file__).'/../'));
+@chdir(dirname(__file__).'/../');
 
 require_once('client.inc.php');
 require_once(INCLUDE_DIR.'class.format.php');

setup/cli/modules/deploy.php

@@ -35,7 +35,7 @@ class Deployment extends Unpacker {
             if (is_file($start . '/main.inc.php')) break;
             $start .= '/..';
         }
-        return realpath($start);
+        return Misc::realpath($start);
     }
 
     /**
@@ -92,7 +92,7 @@ class Deployment extends Unpacker {
         if (!is_dir($this->destination))
             if (!@mkdir($this->destination, 0751, true))
                 die("Destination path does not exist and cannot be created");
-        $this->destination = realpath($this->destination).'/';
+        $this->destination = Misc::realpath($this->destination).'/';
 
         # Determine if this is an upgrade, and if so, where the include/
         # folder is currently located

setup/cli/modules/unpack.php

@@ -41,7 +41,7 @@ class Unpacker extends Module {
             if (is_dir($start . '/upload')) break;
             $start .= '/..';
         }
-        return realpath($start.'/upload');
+        return Misc::realpath($start.'/upload');
     }
 
     function change_include_dir($include_path) {