improve fix for symlink attacks to check subdirectories for symlinks too

[ikiwiki.git] / ikiwiki

diff --git a/ikiwiki b/ikiwiki
index 4ef6ceba39d3e7cb07dd32ea27dc27bade27bdf4..b1bc9984f2bd9475787808d65f886424c250e7cc 100755 (executable)
--- a/ikiwiki
+++ b/ikiwiki
@@ -202,15 +202,20 @@ sub readfile ($) { #{{{
        return $ret;
 } #}}}
 
-sub writefile ($$) { #{{{
-       my $file=shift;
+sub writefile ($$$) { #{{{
+       my $file=shift; # can include subdirs
+       my $destdir=shift; # directory to put file in
        my $content=shift;
        
-       if (-l $file) {
-               error("cannot write to a symlink ($file)");
+       my $test=$file;
+       while (length $test) {
+               if (-l "$destdir/$test") {
+                       error("cannot write to a symlink ($test)");
+               }
+               $test=dirname($test);
        }
 
-       my $dir=dirname($file);
+       my $dir=dirname("$destdir/$file");
        if (! -d $dir) {
                my $d="";
                foreach my $s (split(m!/+!, $dir)) {
@@ -221,7 +226,7 @@ sub writefile ($$) { #{{{
                }
        }
        
-       open (OUT, ">$file") || error("failed to write $file: $!");
+       open (OUT, ">$destdir/$file") || error("failed to write $destdir/$file: $!");
        print OUT $content;
        close OUT;
 } #}}}