Topic: | Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers |
Severity: | Major |
Versions affected: | < 1.9.5, < 1.8.9, 1.7.x, 1.6.x |
Reported by: | Marc-Robin Wendt |
Issue no.: | MDL-18415 |
Solution: | upgrade to 1.9.5 or 1.8.9 |
Workaround: | use default internal unzip method |
Description:
Marc-Robin Wendt reported the problem and proposed a solution of how to eliminate symbolic links when unzipping files. Info-zip executables can zip and unzip symbolic links. By default only trusted users are allowed to extract zip files. This should not be exploitable by students unless the roles are misconfigured or 3rd party extensions are installed.