Index: openacs-4/packages/acs-content-repository/tcl/content-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-content-repository/tcl/content-procs.tcl,v
diff -u -r1.16.2.7 -r1.16.2.8
--- openacs-4/packages/acs-content-repository/tcl/content-procs.tcl	27 Nov 2022 18:01:37 -0000	1.16.2.7
+++ openacs-4/packages/acs-content-repository/tcl/content-procs.tcl	23 Apr 2024 16:21:55 -0000	1.16.2.8
@@ -68,6 +68,16 @@
 
     if the -move flag is given the file is renamed instead
 } {
+    #
+    # A malicious user may try to sneak a symlink in the content
+    # repository, for instance, via a zip file upload. We want to
+    # prevent this.
+    #
+    file lstat $client_filename file_info
+    if {$file_info(type) eq "link"} {
+        error "Attempt to store a symlink in the content repository!"
+    }
+
     set content_file [cr_create_content_file_path $item_id $revision_id]
     set dir [cr_fs_path]