From 2401da72c5744f75249d81bf98c3d58529c8a6eb Mon Sep 17 00:00:00 2001
From: Miraty <miraty@antopie.org>
Date: Fri, 10 Jun 2022 14:53:25 +0200
Subject: [PATCH] Fix symlink security flaw when sudoing chgrp

---
 public/auth/register.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/auth/register.php b/public/auth/register.php
index a538590..5983189 100644
--- a/public/auth/register.php
+++ b/public/auth/register.php
@@ -18,7 +18,7 @@ if (isset($_POST['username']) AND isset($_POST['password'])) {
 		umask(0002);
 		if (mkdir(CONF['ht']['ht_path'] . "/" . $_POST['username'], 0775) !== true)
 			serverError("Can't create user directory.");
-		exec(CONF['ht']['sudo_path'] . " " . CONF['ht']['chgrp_path'] . " " . CONF['ht']['sftpgo_group'] . " " . CONF['ht']['ht_path'] . "/" . $_POST['username'], $stdout, $code);
+		exec(CONF['ht']['sudo_path'] . " " . CONF['ht']['chgrp_path'] . " " . CONF['ht']['sftpgo_group'] . " " . CONF['ht']['ht_path'] . "/" . $_POST['username'] . " --no-dereference", $stdout, $code);
 		if ($code !== 0)
 			serverError("Can't change user directory group.");