Prevent directory traversals in ctr of \OC\Files\View

This prevents a misusage of \OC\Files\View by calling it with user-supplied input. In such cases an exception is now thrown.

diff --git a/lib/private/files/view.php b/lib/private/files/view.php
index 3bc9fdff1ee6ad53679aa0472efb42099ff0d930..3dfd4d0c105da92ec29667c156a0f803f5fe2814 100644 (file)
--- a/lib/private/files/view.php
+++ b/lib/private/files/view.php
@@ -36,7 +36,15 @@ class View {
         */
        protected $updater;
 
+       /**
+        * @param string $root
+        * @throws \Exception If $root contains an invalid path
+        */
        public function __construct($root = '') {
+               if(!Filesystem::isValidPath($root)) {
+                       throw new \Exception();
+               }
+
                $this->fakeRoot = $root;
                $this->updater = new Updater($this);
        }

diff --git a/tests/lib/files/view.php b/tests/lib/files/view.php
index f6af59d52be57f1251156b3c80914f947714f5da..b4b6d0deb2ea69be34782db07505f88bce8d3a3e 100644 (file)
--- a/tests/lib/files/view.php
+++ b/tests/lib/files/view.php
@@ -894,4 +894,21 @@ class View extends \Test\TestCase {
                $this->assertFalse($view->unlink('foo.txt'));
                $this->assertTrue($cache->inCache('foo.txt'));
        }
+
+       function directoryTraversalProvider() {
+               return [
+                       ['../test/'],
+                       ['..\\test\\my/../folder'],
+                       ['/test/my/../foo\\'],
+               ];
+       }
+
+       /**
+        * @dataProvider directoryTraversalProvider
+        * @expectedException \Exception
+        * @param string $root
+        */
+       public function testConstructDirectoryTraversalException($root) {
+               new \OC\Files\View($root);
+       }
 }