SUPEE-9767, modman and symlinks
Here are some clarifications regarding this change:
First read this explanation from Peter O'Callaghan this will give you great understanding: https://peterocallaghan.co.uk/2017/06/appsec-1281-dangerous-symlinks/
Also another interesting read is this post by Max Chadwick https://maxchadwick.xyz/blog/what-allow-symlinks-actually-does
This modification is really about calling uploadable content (like images) via template directives.
The issue related to symlinks is exploitable only with admin access and Magento added some more protection around image uploads as well.
Please note that they are some protections against known way to exploit it in addition to the setting itself.
So if you understand the risk involved, you can leave symlinks enabled.
If you need to enable them for a fresh install you can run:
UPDATE core_config_data SET value = 1 WHERE path = "dev/template/allow_symlink";
The issue is not symlinks, the issue is paths that reach up levels such as ../../../../../media/tmp/hahaha.png
. If I am wrong on this please enlighten me. The "fix" was titled "Allow symlinks" and enabling this disables the check which was implemented using realpath()
. In my opinion a fix that is just as secure, more performant and still compatible with symlinks is to use strpos($path, '..')
and/or to check that the realpath()
matches certain risky directories like media
and var
. If implemented like this it wouldn't need to be configurable it could just always be enabled and still not break thousands of stores.
Regardless, your web server user should not have access to write files in the source code directories (like Magento Connect does...) so that is another way to prevent malicious code being written somewhere and executed as a block template.
So, this attack on symlinks is just misdirected and a better fix exists. In fact, I provided one over a year ago and there is even a link to it in the modman github README.