Check if the file isReadable() before sending a (cached) preview

diff --git a/core/ajax/preview.php b/core/ajax/preview.php
index 2894efdc8e3826a2b3939d90f5907c4e918cb593..6cfba6aef30320dc89eaf47fbf978385d0c19fab 100644 (file)
--- a/core/ajax/preview.php
+++ b/core/ajax/preview.php
@@ -53,6 +53,8 @@ $info = \OC\Files\Filesystem::getFileInfo($file);
 
 if (!$info instanceof OCP\Files\FileInfo || !$always && !\OC::$server->getPreviewManager()->isAvailable($info)) {
        \OC_Response::setStatus(404);
+} else if (!$info->isReadable()) {
+       \OC_Response::setStatus(403);
 } else {
        $preview = new \OC\Preview(\OC_User::getUser(), 'files');
        $preview->setFile($file, $info);

diff --git a/lib/private/Preview.php b/lib/private/Preview.php
index 70b000a30ee3af4bfe7d35c3e4b9fafc14b6479a..67838a8d4a318b0a1f019d72b39885f79bf27d07 100644 (file)
--- a/lib/private/Preview.php
+++ b/lib/private/Preview.php
@@ -763,7 +763,7 @@ class Preview {
 
                $this->preview = null;
                $fileInfo = $this->getFileInfo();
-               if ($fileInfo === null || $fileInfo === false) {
+               if ($fileInfo === null || $fileInfo === false || !$fileInfo->isReadable()) {
                        return new \OC_Image();
                }