Compare the paths with unified directory separator in PackageInstallationDispatcher...
authorTim Düsterhus <duesterhus@woltlab.com>
Wed, 5 Apr 2023 14:30:38 +0000 (16:30 +0200)
committerTim Düsterhus <duesterhus@woltlab.com>
Wed, 5 Apr 2023 14:30:38 +0000 (16:30 +0200)
This is necessary for Windows which uses backslashes, whereas the entire
software hardcodes the slash as a directory separator (which is also accepted
by Windows).

Fixes #5370

wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php

index ac08f505d77619236ca60375da9ca40b6aea1b05..a61de5d6383e55f945d306f606034acf975f0b67 100644 (file)
@@ -479,7 +479,7 @@ class PackageInstallationDispatcher
             }
 
             $this->archive = new PackageArchive($this->queue->archive);
-            if (!\str_starts_with(\realpath($this->archive->getArchive()), \TMP_DIR)) {
+            if (!\str_starts_with(FileUtil::unifyDirSeparator(\realpath($this->archive->getArchive())), \TMP_DIR)) {
                 throw new \Exception('Refusing to handle an archive outside of the temporary directory.');
             }
             $this->archive->openArchive();