verify that paths are valid for recursive local move

author Robin Appelman <robin@icewind.nl>

Thu, 27 Jun 2019 09:10:08 +0000 (11:10 +0200)

committer Backportbot <backportbot-noreply@rullzer.com>

Thu, 27 Jun 2019 14:37:35 +0000 (14:37 +0000)
author Robin Appelman <robin@icewind.nl>
Thu, 27 Jun 2019 09:10:08 +0000 (11:10 +0200)
committer Backportbot <backportbot-noreply@rullzer.com>
Thu, 27 Jun 2019 14:37:35 +0000 (14:37 +0000)
diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php

index 5f7232e64b3a99ee8ed0e6f7e38da22cd29a158d..e3e6ac783d9524cf784cc5f648cbed5a0d477394 100644 (file)
--- a/lib/private/Files/Storage/Local.php
+++ b/lib/private/Files/Storage/Local.php
@@ -39,6 +39,7 @@
  
  namespace OC\Files\Storage;
  
+use OC\Files\Filesystem;
  use OC\Files\Storage\Wrapper\Jail;
  use OCP\Files\ForbiddenException;
  use OCP\Files\Storage\IStorage;
@@ -231,6 +232,18 @@ class Local extends \OC\Files\Storage\Common {
  
         }
  
+       private function treeContainsBlacklistedFile(string $path): bool {
+               $iterator = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($path));
+               foreach ($iterator as $file) {
+                       /** @var \SplFileInfo $file */
+                       if (Filesystem::isFileBlacklisted($file->getBasename())) {
+                               return true;
+                       }
+               }
+
+               return false;
+       }
+
         public function rename($path1, $path2) {
                 $srcParent = dirname($path1);
                 $dstParent = dirname($path2);
@@ -267,6 +280,10 @@ class Local extends \OC\Files\Storage\Common {
                                 }
                                 return $result;
                         }
+
+                       if ($this->treeContainsBlacklistedFile($this->getSourcePath($path1))) {
+                               throw new ForbiddenException('Invalid path', false);
+                       }
                 }
  
                 return rename($this->getSourcePath($path1), $this->getSourcePath($path2));
@@ -362,6 +379,10 @@ class Local extends \OC\Files\Storage\Common {
          * @throws ForbiddenException
          */
         public function getSourcePath($path) {
+               if (Filesystem::isFileBlacklisted($path)) {
+                       throw new ForbiddenException('Invalid path', false);
+               }
+
                 $fullPath = $this->datadir . $path;
                 $currentPath = $path;
                 if ($this->allowSymlinks || $currentPath === '') {
author	Robin Appelman <robin@icewind.nl>
	Thu, 27 Jun 2019 09:10:08 +0000 (11:10 +0200)
committer	Backportbot <backportbot-noreply@rullzer.com>
	Thu, 27 Jun 2019 14:37:35 +0000 (14:37 +0000)