Disallow overwriting existing applications by using relative paths

see https://www.woltlab.com/forum/index.php/Thread/222390-%C3%9Cberschreiben-von-Endanwendungen-m%C3%B6glich/

diff --git a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
index 62d8836580d69bcf592b3a70259aef6dca6f4a1f..826dc8ecc54641463156c489a03ef13386d56028 100644 (file)
--- a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
+++ b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php
@@ -693,7 +693,8 @@ class PackageInstallationDispatcher {
                else {
                        $document = PackageInstallationFormManager::getForm($this->queue, 'packageDir');
                        $document->handleRequest();
-                       $packageDir = FileUtil::addTrailingSlash(FileUtil::unifyDirSeparator($document->getValue('packageDir')));
+                       $packageDir = FileUtil::addTrailingSlash(FileUtil::getRealPath(FileUtil::unifyDirSeparator($document->getValue('packageDir'))));
+                       if ($packageDir === '/') $packageDir = '';
                        
                        if ($packageDir !== null) {
                                // validate package dir