var downloadScope = 'file';
}
FileActions.register(downloadScope,'Download',function(){return OC.imagePath('core','actions/download')},function(filename){
- window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val()));
+ window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val());
});
});
var dir=$('#dir').val()||'/';
$('#notification').text(t('files','generating ZIP-file, it may take some time.'));
$('#notification').fadeIn();
- window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir));
+ window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir);
return false;
});
filePath:function(app,type,file){
var isCore=OC.coreApps.indexOf(app)!=-1;
var link=OC.webroot;
- var splitted = file.split('?');
- if((splitted[0].substring(splitted[0].length-3) == 'php' || splitted[0].substring(splitted[0].length-3) == 'css') && !isCore){
+ if((file.substring(file.length-3) == 'php' || file.substring(file.length-3) == 'css') && !isCore){
link+='/?app=' + app + '&getfile=';
if(type){
link+=encodeURI(type + '/');
}
- link+= file + '?' + splitted[1];
+ link+= file;
}else if(file.substring(file.length-3) != 'php' && !isCore){
link=OC.appswebroot;
link+='/';
}
public static function loadapp(){
- if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP)){
+ if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php')){
require_once(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php');
}else{
trigger_error('The requested App was not found.', E_USER_ERROR);//load default app instead?
register_shutdown_function(array('OC_Helper','cleanTmp'));
self::$REQUESTEDAPP = (isset($_GET['app'])?strip_tags($_GET['app']):'files');
- self::$REQUESTEDFILE = $_GET['getfile'];
+ self::$REQUESTEDFILE = (isset($_GET['getfile'])?$_GET['getfile']:null);
if(substr_count(self::$REQUESTEDFILE, '?') != 0){
$file = substr(self::$REQUESTEDFILE, 0, strpos(self::$REQUESTEDFILE, '?'));
$param = substr(self::$REQUESTEDFILE, strpos(self::$REQUESTEDFILE, '?') + 1);
self::$REQUESTEDFILE = $file;
$_GET['getfile'] = $file;
}
- self::$REQUESTEDFILE = (isset($_GET['getfile'])?(OC_Helper::issubdirectory(OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE, OC::$APPSROOT . '/' . self::$REQUESTEDAPP)?self::$REQUESTEDFILE:null):null);
+ if(!is_null(self::$REQUESTEDFILE)){
+ $subdir = OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE;
+ $parent = OC::$APPSROOT . '/' . self::$REQUESTEDAPP;
+ if(!OC_Helper::issubdirectory($subdir, $parent)){
+ self::$REQUESTEDFILE = null;
+ //header('HTTP/1.0 404 Not Found');
+ exit;
+ }
+ }
}
}
* @return bool
*/
public static function issubdirectory($sub, $parent){
- return (substr(realpath($sub), 0, strlen(realpath($parent))) == realpath($parent))?true:false;
+ if($sub == null || $sub == '' || $parent == null || $parent == ''){
+ return false;
+ }
+ $realpath_sub = realpath($sub);
+ $realpath_parent = realpath($parent);
+ if(($realpath_sub == false && substr_count($realpath_sub, './') != 0) || ($realpath_parent == false && substr_count($realpath_parent, './') != 0)){ //it checks for both ./ and ../
+ return false;
+ }
+ if($realpath_sub && $realpath_sub != '' && $realpath_parent && $realpath_parent != ''){
+ if(substr($sub, 0, strlen($parent)) == $parent){
+ return true;
+ }
+ }else{
+ if(substr($realpath_sub, 0, strlen($realpath_parent)) == $realpath_parent){
+ return true;
+ }
+ }
+ return false;
}
}