check for filename blacklist in OC_Filesystem::isValidPath

diff --git a/lib/filesystem.php b/lib/filesystem.php
index 45b039f89defcf96b8b9abcce022d336e8c93239..21118169dae4d6882ee499c5b11235a3d7c682eb 100644 (file)
--- a/lib/filesystem.php
+++ b/lib/filesystem.php
@@ -403,6 +403,9 @@ class OC_Filesystem{
                if(strstr($path,'/../') || strrchr($path, '/') === '/..' ) {
                        return false;
                }
+               if(self::isFileBlacklisted($path)){
+                       return false;
+               }
                return true;
        }
 
@@ -412,20 +415,22 @@ class OC_Filesystem{
         * @param array $data from hook
         */
        static public function isBlacklisted($data) {
-               $blacklist = array('.htaccess');
                if (isset($data['path'])) {
                        $path = $data['path'];
                } else if (isset($data['newpath'])) {
                        $path = $data['newpath'];
                }
                if (isset($path)) {
-                       $filename = strtolower(basename($path));
-                       if (in_array($filename, $blacklist)) {
-                               $data['run'] = false;
-                       }
+                       $data['run'] = !self::isFileBlacklisted($path);
                }
        }
 
+       static public function isFileBlacklisted($path){
+               $blacklist = array('.htaccess');
+               $filename = strtolower(basename($path));
+               return in_array($filename, $blacklist);
+       }
+
        /**
         * following functions are equivilent to their php buildin equivilents for arguments/return values.
         */

diff --git a/tests/lib/filesystem.php b/tests/lib/filesystem.php
index a13b80cc5c1866a740cb4a66c6feece9789191b5..1fc2c270123f78fbbf79b700d8400c7beeda20ee 100644 (file)
--- a/tests/lib/filesystem.php
+++ b/tests/lib/filesystem.php
@@ -72,6 +72,41 @@ class Test_Filesystem extends UnitTestCase {
                }
        }
 
+       public function testBlacklist() {
+               OC_Hook::clear('OC_Filesystem');
+               OC_Hook::connect('OC_Filesystem', 'write', 'OC_Filesystem', 'isBlacklisted');
+               OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');
+
+               $run = true;
+               OC_Hook::emit(
+                       OC_Filesystem::CLASSNAME,
+                       OC_Filesystem::signal_write,
+                       array(
+                               OC_Filesystem::signal_param_path => '/test/.htaccess',
+                               OC_Filesystem::signal_param_run => &$run
+                       )
+               );
+               $this->assertFalse($run);
+
+               if (OC_Filesystem::getView()) {
+                       $user = OC_User::getUser();
+               } else {
+                       $user = uniqid();
+                       OC_Filesystem::init('/' . $user . '/files');
+               }
+
+               OC_Filesystem::mount('OC_Filestorage_Temporary', array(), '/');
+
+               $rootView = new OC_FilesystemView('');
+               $rootView->mkdir('/' . $user);
+               $rootView->mkdir('/' . $user . '/files');
+
+               $this->assertFalse($rootView->file_put_contents('/.htaccess', 'foo'));
+               $this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', 'foo'));
+               $fh = fopen(__FILE__, 'r');
+               $this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', $fh));
+       }
+
        public function testHooks() {
                if(OC_Filesystem::getView()){
                        $user = OC_User::getUser();