SUPEE-9767 - Which symlinks are bad?

Question

With the latest SUPEE-9767 patch, which symlinks are actually affected?

I assume symlinks in /var and /media are ok. What about symlinks in app/etc/modules? Is it just symlinked .phtml template files that are the problem?

Just trying to pinpoint which symlinks may cause issues before patches are applied...

Answer 1

When we talk about symlinks and Magento we are referring to any symlinked Magento files (especially template files) that are included as part of the php compilation and execution process.

If you read the following two articles it will become clearer.

• https://maxchadwick.xyz/blog/what-allow-symlinks-actually-does
• https://peterocallaghan.co.uk/2017/06/appsec-1281-dangerous-symlinks/

Magento validates the template view path in app/code/core/Mage/Core/Block/Template.php with it's real folder path and if symlinks are not enabled, and the validation fails, it does not include the template file.

All Magento templates that are symlinked will be affected if symlinks are disabled after installing the patch. Magento modules that do not include templates may not be affected.

Enabling symlinks allows template files to be loaded outside of app/design and this is the security risk Magento are mitigating with the patch. A malicious user with admin access could enable a malicious symlinked template and remotely execute code on your server.

There is however nothing to stop you manually enabling symlinks and doing your own risk assessment as to the threats to your business this may bring.

If you manage your modules with modman then you must reenable symlinks as your store may be broken, which quite possibly is a greater threat to your business than a possible symlink vulnerability.

You can further mitigate the threat associated with symlinks being enabled by using a patched version of app/code/core/Mage/Core/Block/Template.phpfrom the modman author.