From f599267459792e46503c42517e47017b57ae1cbe Mon Sep 17 00:00:00 2001
From: Robin Appelman <icewind@owncloud.com>
Date: Sat, 3 Nov 2012 00:21:10 +0100
Subject: [PATCH] check for filename blacklist in OC_Filesystem::isValidPath

---
 lib/filesystem.php       | 15 ++++++++++-----
 tests/lib/filesystem.php | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/lib/filesystem.php b/lib/filesystem.php
index 45b039f89de..21118169dae 100644
--- a/lib/filesystem.php
+++ b/lib/filesystem.php
@@ -403,6 +403,9 @@ class OC_Filesystem{
 		if(strstr($path,'/../') || strrchr($path, '/') === '/..' ) {
 			return false;
 		}
+		if(self::isFileBlacklisted($path)){
+			return false;
+		}
 		return true;
 	}
 
@@ -412,20 +415,22 @@ class OC_Filesystem{
 	 * @param array $data from hook
 	 */
 	static public function isBlacklisted($data) {
-		$blacklist = array('.htaccess');
 		if (isset($data['path'])) {
 			$path = $data['path'];
 		} else if (isset($data['newpath'])) {
 			$path = $data['newpath'];
 		}
 		if (isset($path)) {
-			$filename = strtolower(basename($path));
-			if (in_array($filename, $blacklist)) {
-				$data['run'] = false;
-			}
+			$data['run'] = !self::isFileBlacklisted($path);
 		}
 	}
 
+	static public function isFileBlacklisted($path){
+		$blacklist = array('.htaccess');
+		$filename = strtolower(basename($path));
+		return in_array($filename, $blacklist);
+	}
+
 	/**
 	 * following functions are equivilent to their php buildin equivilents for arguments/return values.
 	 */
diff --git a/tests/lib/filesystem.php b/tests/lib/filesystem.php
index a13b80cc5c1..1fc2c270123 100644
--- a/tests/lib/filesystem.php
+++ b/tests/lib/filesystem.php
@@ -72,6 +72,41 @@ class Test_Filesystem extends UnitTestCase {
 		}
 	}
 
+	public function testBlacklist() {
+		OC_Hook::clear('OC_Filesystem');
+		OC_Hook::connect('OC_Filesystem', 'write', 'OC_Filesystem', 'isBlacklisted');
+		OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');
+
+		$run = true;
+		OC_Hook::emit(
+			OC_Filesystem::CLASSNAME,
+			OC_Filesystem::signal_write,
+			array(
+				OC_Filesystem::signal_param_path => '/test/.htaccess',
+				OC_Filesystem::signal_param_run => &$run
+			)
+		);
+		$this->assertFalse($run);
+
+		if (OC_Filesystem::getView()) {
+			$user = OC_User::getUser();
+		} else {
+			$user = uniqid();
+			OC_Filesystem::init('/' . $user . '/files');
+		}
+
+		OC_Filesystem::mount('OC_Filestorage_Temporary', array(), '/');
+
+		$rootView = new OC_FilesystemView('');
+		$rootView->mkdir('/' . $user);
+		$rootView->mkdir('/' . $user . '/files');
+
+		$this->assertFalse($rootView->file_put_contents('/.htaccess', 'foo'));
+		$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', 'foo'));
+		$fh = fopen(__FILE__, 'r');
+		$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', $fh));
+	}
+
 	public function testHooks() {
 		if(OC_Filesystem::getView()){
 			$user = OC_User::getUser();