From ff0164fb8e81b9fe627f8d64721776f2bc0e97be Mon Sep 17 00:00:00 2001
From: Usman Nasir <usman@cyberpersons.com>
Date: Fri, 7 Feb 2020 21:29:05 +0500
Subject: [PATCH] command injection check in some fm functions

---
 filemanager/filemanager.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/filemanager/filemanager.py b/filemanager/filemanager.py
index 1304b566d..f1dc0185d 100755
--- a/filemanager/filemanager.py
+++ b/filemanager/filemanager.py
@@ -332,6 +332,12 @@ class FileManager:
             writeToFile.write(self.data['fileContent'].encode('utf-8'))
             writeToFile.close()
 
+            command = 'ls -la %s' % (self.data['fileName'])
+            output = ProcessUtilities.outputExecutioner(command)
+
+            if output.find('lrwxrwxrwx') > -1 and output.find('->') > -1:
+                return self.ajaxPre(0, 'File exists and is symlink.')
+
             if ACLManager.commandInjectionCheck(self.data['fileName']) == 1:
                 return self.ajaxPre(0, 'Not allowed to move in this path, please choose location inside home!')