github-actions[bot]
commented
2 weeks ago This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers
Open danielpunkass opened 3 weeks ago
github-actions[bot]
commented
2 weeks ago This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers
caddoo
commented
1 week ago @danielpunkass Thanks a lot for your contribution, really appreciated 🎉
I tested this locally and while it does work and achieve what is expected, we do lose a little user-friendliness with the messaging to our users.
Removing realpath means a relative filename is given which means the rm or rm -rF will only work when they are in their Matomo install directory whereas before they could be anywhere in their filesystem.
Maybe an idea would be to change it to use something like:
htmlspecialchars(realpath(dirname($fileFoundNotExpected)). '/' .basename($fileFoundNotExpected))
This seems to get the symlink location with the full absolute path and the resulting rm command doesn't touch the source file.
@matomo-org/core-reviewers any other opinions here?
github-actions[bot]
commented
2 days ago This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers
Description:
If the FileIntegrity check discovers an unexpected symlink in the source tree, it causes Matomo to suggest to the user deleting the target of the symlink, instead of the symlink itself. At best this would be a nuisance, and at worst it could be catastrophic (if the user kept a symlink to files outside of Matomo's directory, for example). Fixes #16551.
Review