* @return bool
*/
static public function isFileBlacklisted($filename) {
+ $filename = self::normalizePath($filename);
$blacklist = \OC_Config::getValue('blacklisted_files', array('.htaccess'));
$filename = strtolower(basename($filename));
- return (in_array($filename, $blacklist));
+ return in_array($filename, $blacklist);
}
/**
return '/';
}
+ //normalize unicode if possible
+ $path = \OC_Util::normalizeUnicode($path);
+
//no windows style slashes
$path = str_replace('\\', '/', $path);
$path = substr($path, 0, -2);
}
- //normalize unicode if possible
- $path = \OC_Util::normalizeUnicode($path);
-
return $windows_drive_letter . $path;
}
// trim ending dots (for security reasons and win compatibility)
$text = preg_replace('~\.+$~', '', $text);
- if (empty($text)) {
+ if (empty($text) || \OC\Files\Filesystem::isFileBlacklisted($text)) {
/**
* Item slug would be empty. Previously we used uniqid() here.
* However this means that the behaviour is not reproducible, so
* when uploading files into a "empty" folder, the folders name is
* different.
*
+ * The other case is, that the slugified name would be a blacklisted
+ * filename. In this case we just use the same workaround by
+ * returning the secure md5 hash of the original name.
+ *
* If there would be a md5() hash collision, the deduplicate check
* will spot this and append an index later, so this should not be
* a problem.
}
}
+ public function isFileBlacklistedData() {
+ return array(
+ array('/etc/foo/bar/foo.txt', false),
+ array('\etc\foo/bar\foo.txt', false),
+ array('.htaccess', true),
+ array('.htaccess/', true),
+ array('.htaccess\\', true),
+ array('/etc/foo\bar/.htaccess\\', true),
+ array('/etc/foo\bar/.htaccess/', true),
+ array('/etc/foo\bar/.htaccess/foo', false),
+ array('//foo//bar/\.htaccess/', true),
+ array('\foo\bar\.HTAccess', true),
+ );
+ }
+
+ /**
+ * @dataProvider isFileBlacklistedData
+ */
+ public function testIsFileBlacklisted($path, $expected) {
+ $this->assertSame($expected, \OC\Files\Filesystem::isFileBlacklisted($path));
+ }
+
public function testNormalizeWindowsPaths() {
$this->assertEquals('/', \OC\Files\Filesystem::normalizePath(''));
$this->assertEquals('/', \OC\Files\Filesystem::normalizePath('\\'));
$this->assertEquals('D:/folder.name.with.peri-ods/te-st-2.t-x-t', $this->mapper->slugifyPath('D:/folder.name.with.peri ods/te st.t x t', 2));
$this->assertEquals('D:/folder.name.with.peri-ods/te-st.t-x-t', $this->mapper->slugifyPath('D:/folder.name.with.peri ods/te st.t x t'));
-
+ // files with special characters
+ $this->assertEquals('D:/' . md5('ありがとう'), $this->mapper->slugifyPath('D:/ありがとう'));
+ $this->assertEquals('D:/' . md5('ありがとう') . '/issue6722.txt', $this->mapper->slugifyPath('D:/ありがとう/issue6722.txt'));
+
+ // blacklisted files
+ $this->assertEquals('D:/' . md5('.htaccess'), $this->mapper->slugifyPath('D:/.htaccess'));
+ $this->assertEquals('D:/' . md5('.htaccess.'), $this->mapper->slugifyPath('D:/.htaccess.'));
+ $this->assertEquals('D:/' . md5('.htAccess'), $this->mapper->slugifyPath('D:/.htAccess'));
+ $this->assertEquals('D:/' . md5('.htAccess\\…\\') . '/a', $this->mapper->slugifyPath('D:/.htAccess\…\/とa'));
+ $this->assertEquals('D:/' . md5('.htaccess-'), $this->mapper->slugifyPath('D:/.htaccess-'));
+ $this->assertEquals('D:/' . md5('.htaあccess'), $this->mapper->slugifyPath('D:/.htaあccess'));
+ $this->assertEquals('D:/' . md5(' .htaccess'), $this->mapper->slugifyPath('D:/ .htaccess'));
+ $this->assertEquals('D:/' . md5('.htaccess '), $this->mapper->slugifyPath('D:/.htaccess '));
+ $this->assertEquals('D:/' . md5(' .htaccess '), $this->mapper->slugifyPath('D:/ .htaccess '));
+
}
}
projects / nextcloud-server.git / commitdiff