open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Filter potential dangerous filenames for avatars

Browse Source 
We don't want to have users misusing this API resulting in a potential file disclosure of "avatar.(jpg|png)" files.
remotes/origin/poc-doctrine-migrations
Lukas Reschke 11 years ago
parent 132ce04f31
commit 34d0e610cc
3 changed files with 34 additions and 4 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 14
      lib/private/avatar.php
  2. 1
      lib/private/avatarmanager.php
  3. 23
      tests/lib/avatar.php

14
lib/private/avatar.php
Unescape View File

@ -8,6 +8,7 @@
* @author Robin McCorkell <rmccorkell@karoshi.org.uk>
* @author Roeland Jago Douma <roeland@famdouma.nl>
* @author Thomas Müller <thomas.mueller@tmit.eu>
* @author Lukas Reschke <lukas@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
@ -26,23 +27,28 @@
*
*/
namespace OC;
namespace OC;
use OC_Image;
use OC\Files\Filesystem;
use OC_Image;
/**
* This class gets and sets users avatars.
*/
class Avatar implements \OCP\IAvatar {
/** @var Files\View */
private $view;
/**
* constructor
* @param string $user user to do avatar-management with
*/
* @throws \Exception In case the username is potentially dangerous
*/
public function __construct ($user) {
if(!Filesystem::isValidPath($user)) {
throw new \Exception('Username may not contain slashes');
}
$this->view = new \OC\Files\View('/'.$user);
}

1
lib/private/avatarmanager.php
Unescape View File

@ -37,6 +37,7 @@ class AvatarManager implements IAvatarManager {
* @see \OCP\IAvatar
* @param string $user the ownCloud user id
* @return \OCP\IAvatar
* @throws \Exception In case the username is potentially dangerous
*/
public function getAvatar($user) {
return new Avatar($user);

23
tests/lib/avatar.php
Unescape View File

@ -34,6 +34,29 @@ class Test_Avatar extends \Test\TestCase {
}
}
/**
* @return array
*/
public function traversalProvider() {
return [
['Pot\..\entiallyDangerousUsername'],
['Pot/..\entiallyDangerousUsername'],
['PotentiallyDangerousUsername/..'],
['PotentiallyDangerousUsername\../'],
['/../PotentiallyDangerousUsername'],
];
}
/**
* @dataProvider traversalProvider
* @expectedException \Exception
* @expectedExceptionMessage Username may not contain slashes
* @param string $dangerousUsername
*/
public function testAvatarTraversal($dangerousUsername) {
new Avatar($dangerousUsername);
}
public function testAvatar() {
$avatar = new Avatar($this->user);

Write Preview
Loading…
Cancel
Save