From 0b00057cf6cf95320da99c81f993ddea49156545 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 18 Feb 2014 12:32:57 +0100
Subject: [PATCH] An admin should not be able to add remote and public services
 on its own. This should only be possible programmatically. This change is due
 the fact that an admin may not be expected to execute arbitrary code in every
 environment.

---
 core/ajax/appconfig.php | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php
index 4f26dedc797..6629d8a664b 100644
--- a/core/ajax/appconfig.php
+++ b/core/ajax/appconfig.php
@@ -9,28 +9,40 @@ OC_Util::checkAdminUser();
 OCP\JSON::callCheck();
 
 $action=isset($_POST['action'])?$_POST['action']:$_GET['action'];
+$app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']);
+
+// An admin should not be able to add remote and public services
+// on its own. This should only be possible programmatically.
+// This change is due the fact that an admin may not be expected 
+// to execute arbitrary code in every environment.
+if($app === 'core' && (substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) {
+	OC_JSON::error(array('data' => array('message' => 'Unexpected error!')));
+	return;
+}
+
 $result=false;
 switch($action) {
 	case 'getValue':
-		$result=OC_Appconfig::getValue($_GET['app'], $_GET['key'], $_GET['defaultValue']);
+		$result=OC_Appconfig::getValue($app, $_GET['key'], $_GET['defaultValue']);
 		break;
 	case 'setValue':
-		$result=OC_Appconfig::setValue($_POST['app'], $_POST['key'], $_POST['value']);
+		$result=OC_Appconfig::setValue($app, $_POST['key'], $_POST['value']);
 		break;
 	case 'getApps':
 		$result=OC_Appconfig::getApps();
 		break;
 	case 'getKeys':
-		$result=OC_Appconfig::getKeys($_GET['app']);
+		$result=OC_Appconfig::getKeys($app);
 		break;
 	case 'hasKey':
-		$result=OC_Appconfig::hasKey($_GET['app'], $_GET['key']);
+		$result=OC_Appconfig::hasKey($app, $_GET['key']);
 		break;
 	case 'deleteKey':
-		$result=OC_Appconfig::deleteKey($_POST['app'], $_POST['key']);
+		$result=OC_Appconfig::deleteKey($app, $_POST['key']);
 		break;
 	case 'deleteApp':
-		$result=OC_Appconfig::deleteApp($_POST['app']);
+		$result=OC_Appconfig::deleteApp($app);
 		break;
 }
 OC_JSON::success(array('data'=>$result));
+
-- 
2.39.5