From: Thomas Müller <thomas.mueller@tmit.eu>
Date: Tue, 24 Sep 2013 11:26:12 +0000 (+0200)
Subject: adding privilege check on move and rename operations
X-Git-Tag: v6.0.0alpha2~123^2~2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ee1f627155cad4153f3da3160ca6040c137841d3;p=nextcloud-server.git

adding privilege check on move and rename operations
---

diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 0bffa58af78..29b7f9e53a5 100644
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 */
 	public function setName($name) {
 
+		// rename is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
 		list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
 
@@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 *  Even if the modification time is set to a custom value the access time is set to now.
 	 */
 	public function touch($mtime) {
+
+		// touch is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		\OC\Files\Filesystem::touch($this->path, $mtime);
 	}
 
diff --git a/lib/connector/sabre/objecttree.php b/lib/connector/sabre/objecttree.php
index acff45ed5e2..7accf98c8e1 100644
--- a/lib/connector/sabre/objecttree.php
+++ b/lib/connector/sabre/objecttree.php
@@ -64,7 +64,29 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 		list($sourceDir,) = \Sabre_DAV_URLUtil::splitPath($sourcePath);
 		list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destinationPath);
 
-		Filesystem::rename($sourcePath, $destinationPath);
+		// check update privileges
+		if ($sourceDir === $destinationDir) {
+			// for renaming it's enough to check if the sourcePath can be updated
+			if (!\OC\Files\Filesystem::isUpdatable($sourcePath)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+		} else {
+			// for a full move we need update privileges on sourcePath and sourceDir as well as destinationDir
+			if (!\OC\Files\Filesystem::isUpdatable($sourcePath)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+			if (!\OC\Files\Filesystem::isUpdatable($sourceDir)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+			if (!\OC\Files\Filesystem::isUpdatable($destinationDir)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+		}
+
+		$renameOkay = Filesystem::rename($sourcePath, $destinationPath);
+		if (!$renameOkay) {
+			throw new \Sabre_DAV_Exception_Forbidden('');
+		}
 
 		$this->markDirty($sourceDir);
 		$this->markDirty($destinationDir);