* @return bool
*/
static public function isFileBlacklisted($filename) {
+ $filename = self::normalizePath($filename);
+
$blacklist = \OC_Config::getValue('blacklisted_files', array('.htaccess'));
$filename = strtolower(basename($filename));
- return (in_array($filename, $blacklist));
+ return in_array($filename, $blacklist);
}
/**
return '/';
}
+ //normalize unicode if possible
+ $path = \OC_Util::normalizeUnicode($path);
+
//no windows style slashes
$path = str_replace('\\', '/', $path);
$path = substr($path, 0, -2);
}
- //normalize unicode if possible
- $path = \OC_Util::normalizeUnicode($path);
-
$normalizedPath = $windows_drive_letter . $path;
self::$normalizedPathCache[$cacheKey] = $normalizedPath;
/**
* @param string $logicPath
+ * @return null
+ * @throws \OC\DatabaseException
*/
private function resolveLogicPath($logicPath) {
$logicPath = $this->resolveRelativePath($logicPath);
/**
* @param string $logicPath
- * @param boolean $store
+ * @param bool $store
+ * @return string
*/
private function create($logicPath, $store) {
$logicPath = $this->resolveRelativePath($logicPath);
}
/**
- * @param integer $index
+ * @param string $path
+ * @param int $index
+ * @return string
*/
public function slugifyPath($path, $index = null) {
$path = $this->stripRootFolder($path, $this->unchangedPhysicalRoot);
continue;
}
- $sluggedElements[] = self::slugify($pathElement);
+ $sluggedElements[] = $this->slugify($pathElement);
}
// apply index to file name
// trim ending dots (for security reasons and win compatibility)
$text = preg_replace('~\.+$~', '', $text);
- if (empty($text)) {
+ if (empty($text) || \OC\Files\Filesystem::isFileBlacklisted($text)) {
/**
* Item slug would be empty. Previously we used uniqid() here.
* However this means that the behaviour is not reproducible, so
* when uploading files into a "empty" folder, the folders name is
* different.
*
+ * The other case is, that the slugified name would be a blacklisted
+ * filename. In this case we just use the same workaround by
+ * returning the secure md5 hash of the original name.
+ *
+ *
* If there would be a md5() hash collision, the deduplicate check
* will spot this and append an index later, so this should not be
* a problem.
$this->assertSame($expected, \OC\Files\Filesystem::isValidPath($path));
}
+ public function isFileBlacklistedData() {
+ return array(
+ array('/etc/foo/bar/foo.txt', false),
+ array('\etc\foo/bar\foo.txt', false),
+ array('.htaccess', true),
+ array('.htaccess/', true),
+ array('.htaccess\\', true),
+ array('/etc/foo\bar/.htaccess\\', true),
+ array('/etc/foo\bar/.htaccess/', true),
+ array('/etc/foo\bar/.htaccess/foo', false),
+ array('//foo//bar/\.htaccess/', true),
+ array('\foo\bar\.HTAccess', true),
+ );
+ }
+
+ /**
+ * @dataProvider isFileBlacklistedData
+ */
+ public function testIsFileBlacklisted($path, $expected) {
+ $this->assertSame($expected, \OC\Files\Filesystem::isFileBlacklisted($path));
+ }
+
public function normalizePathWindowsAbsolutePathData() {
return array(
array('C:/', 'C:\\'),
*/
array('D:/' . md5('ありがとう'), 'D:/ありがとう'),
array('D:/' . md5('ありがとう') . '/issue6722.txt', 'D:/ありがとう/issue6722.txt'),
+ array('D:/' . md5('.htaccess'), 'D:/.htaccess'),
+ array('D:/' . md5('.htaccess.'), 'D:/.htaccess.'),
+ array('D:/' . md5('.htAccess'), 'D:/.htAccess'),
+ array('D:/' . md5('.htAccess\\…\\') . '/a', 'D:/.htAccess\…\/とa'),
+ array('D:/' . md5('.htaccess-'), 'D:/.htaccess-'),
+ array('D:/' . md5('.htaあccess'), 'D:/.htaあccess'),
+ array('D:/' . md5(' .htaccess'), 'D:/ .htaccess'),
+ array('D:/' . md5('.htaccess '), 'D:/.htaccess '),
+ array('D:/' . md5(' .htaccess '), 'D:/ .htaccess '),
);
}