open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

check for filename blacklist in OC_Filesystem::isValidPath

Browse Source
remotes/origin/stable45
Robin Appelman 13 years ago
parent 3cd416b667
commit f599267459
2 changed files with 45 additions and 5 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 15
      lib/filesystem.php
  2. 35
      tests/lib/filesystem.php

15
lib/filesystem.php
Unescape View File

@ -403,6 +403,9 @@ class OC_Filesystem{
if(strstr($path,'/../') || strrchr($path, '/') === '/..' ) {
return false;
}
if(self::isFileBlacklisted($path)){
return false;
}
return true;
}
@ -412,20 +415,22 @@ class OC_Filesystem{
* @param array $data from hook
*/
static public function isBlacklisted($data) {
$blacklist = array('.htaccess');
if (isset($data['path'])) {
$path = $data['path'];
} else if (isset($data['newpath'])) {
$path = $data['newpath'];
}
if (isset($path)) {
$filename = strtolower(basename($path));
if (in_array($filename, $blacklist)) {
$data['run'] = false;
}
$data['run'] = !self::isFileBlacklisted($path);
}
}
static public function isFileBlacklisted($path){
$blacklist = array('.htaccess');
$filename = strtolower(basename($path));
return in_array($filename, $blacklist);
}
/**
* following functions are equivilent to their php buildin equivilents for arguments/return values.
*/

35
tests/lib/filesystem.php
Unescape View File

@ -72,6 +72,41 @@ class Test_Filesystem extends UnitTestCase {
}
}
public function testBlacklist() {
OC_Hook::clear('OC_Filesystem');
OC_Hook::connect('OC_Filesystem', 'write', 'OC_Filesystem', 'isBlacklisted');
OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');
$run = true;
OC_Hook::emit(
OC_Filesystem::CLASSNAME,
OC_Filesystem::signal_write,
array(
OC_Filesystem::signal_param_path => '/test/.htaccess',
OC_Filesystem::signal_param_run => &$run
)
);
$this->assertFalse($run);
if (OC_Filesystem::getView()) {
$user = OC_User::getUser();
} else {
$user = uniqid();
OC_Filesystem::init('/' . $user . '/files');
}
OC_Filesystem::mount('OC_Filestorage_Temporary', array(), '/');
$rootView = new OC_FilesystemView('');
$rootView->mkdir('/' . $user);
$rootView->mkdir('/' . $user . '/files');
$this->assertFalse($rootView->file_put_contents('/.htaccess', 'foo'));
$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', 'foo'));
$fh = fopen(__FILE__, 'r');
$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', $fh));
}
public function testHooks() {
if(OC_Filesystem::getView()){
$user = OC_User::getUser();

Write Preview
Loading…
Cancel
Save