From 784a752c0f38c6f667516e8377a42b37cd527038 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Tue, 9 Feb 2021 22:35:18 +0100 Subject: [PATCH] tain-escape the cookie input we only set the cookie if it is a proper <=32 char alphanum string. Otherwise we just ignore the input. Makes psalm also happier so that we can focus on other errors. Signed-off-by: Roeland Jago Douma --- apps/files/ajax/download.php | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/apps/files/ajax/download.php b/apps/files/ajax/download.php index 25d70c7ebcf..445b15dc6a7 100644 --- a/apps/files/ajax/download.php +++ b/apps/files/ajax/download.php @@ -41,15 +41,29 @@ if (!is_array($files_list)) { $files_list = [$files]; } +/** + * @psalm-taint-escape cookie + */ +function cleanCookieInput(string $value): string { + if (strlen($value) > 32) { + return ''; + } + if (preg_match('!^[a-zA-Z0-9]+$!', $_GET['downloadStartSecret']) !== 1) { + return ''; + } + return $value; +} + /** * this sets a cookie to be able to recognize the start of the download * the content must not be longer than 32 characters and must only contain * alphanumeric characters */ -if (isset($_GET['downloadStartSecret']) - && !isset($_GET['downloadStartSecret'][32]) - && preg_match('!^[a-zA-Z0-9]+$!', $_GET['downloadStartSecret']) === 1) { - setcookie('ocDownloadStarted', $_GET['downloadStartSecret'], time() + 20, '/'); +if (isset($_GET['downloadStartSecret'])) { + $value = cleanCookieInput($_GET['downloadStartSecret']); + if ($value !== '') { + setcookie('ocDownloadStarted', $value, time() + 20, '/'); + } } $server_params = [ 'head' => \OC::$server->getRequest()->getMethod() === 'HEAD' ]; -- 2.39.5