Add deprecation notice to load* functions

This functions are deprecated and/or removed since ownCloud 7. Additionally a issubdirectory check has been added here to prevent developers to use this function in a potentially insecure way.

Port of https://github.com/owncloud/core/pull/9033

diff --git a/.htaccess b/.htaccess
index ee4d5af1d85b28be6fe177d27b8638311ec41829..f34dd9d66b13828edf35b4724fce48aa6898bff9 100644 (file)
--- a/.htaccess
+++ b/.htaccess
@@ -38,3 +38,6 @@ Options -Indexes
 <IfModule pagespeed_module>
         ModPagespeed Off
 </IfModule>
+
+ErrorDocument 403 /core/core/templates/403.php
+ErrorDocument 404 /core/core/templates/404.php
\ No newline at end of file

diff --git a/lib/base.php b/lib/base.php
index 5871ecba839a91459b6a4df38fd28ac628a33b5c..dcaf3725fcb47a77f67cfd1392f5146e85a0a93e 100644 (file)
--- a/lib/base.php
+++ b/lib/base.php
@@ -785,14 +785,18 @@ class OC {
         * Load a PHP file belonging to the specified application
         * @param array $param The application and file to load
         * @return bool Whether the file has been found (will return 404 and false if not)
+        * @deprecated This function will be removed in ownCloud 8 - use proper routing instead
+        * @param $param
+        * @return bool Whether the file has been found (will return 404 and false if not)
         */
        public static function loadAppScriptFile($param) {
                OC_App::loadApps();
                $app = $param['app'];
                $file = $param['file'];
                $app_path = OC_App::getAppPath($app);
-               if (OC_App::isEnabled($app) && $app_path !== false) {
-                       $file = $app_path . '/' . $file;
+               $file = $app_path . '/' . $file;
+
+               if (OC_App::isEnabled($app) && $app_path !== false && OC_Helper::issubdirectory($file, $app_path)) {
                        unset($app, $app_path);
                        if (file_exists($file)) {
                                require_once $file;