From 7f71ae60b0fefe697aa9da2cda40853736df0580 Mon Sep 17 00:00:00 2001 From: Georg Ehrke Date: Thu, 11 Jul 2013 10:10:07 +0200 Subject: [PATCH] improve validation of oc\preview and implement preview of error icon if something went wrong --- lib/preview.php | 255 ++++++++++++++++++++++++++++++------------------ 1 file changed, 159 insertions(+), 96 deletions(-) diff --git a/lib/preview.php b/lib/preview.php index f018fa38850..94e0cd96e7c 100755 --- a/lib/preview.php +++ b/lib/preview.php @@ -426,6 +426,14 @@ class Preview { return; } + /** + * @brief show preview + * @return void + */ + public function show() { + return $this->showPreview(); + } + /** * @brief resize, crop and fix orientation * @return image @@ -567,30 +575,40 @@ class Preview { * @brief method that handles preview requests from users that are logged in * @return void */ - public static function previewRouter($params) { + public static function previewRouter() { \OC_Util::checkLoggedIn(); - $file = ''; - $maxX = 0; - $maxY = 0; - $scalingup = true; - - if(array_key_exists('file', $_GET)) $file = (string) urldecode($_GET['file']); - if(array_key_exists('x', $_GET)) $maxX = (int) $_GET['x']; - if(array_key_exists('y', $_GET)) $maxY = (int) $_GET['y']; - if(array_key_exists('scalingup', $_GET)) $scalingup = (bool) $_GET['scalingup']; - - if($file !== '' && $maxX !== 0 && $maxY !== 0) { - try{ - $preview = new Preview(\OC_User::getUser(), 'files', $file, $maxX, $maxY, $scalingup); - $preview->showPreview(); - }catch(\Exception $e) { - \OC_Response::setStatus(404); - \OC_Log::write('core', $e->getmessage(), \OC_Log::ERROR); - exit; - } - }else{ - \OC_Response::setStatus(404); + $file = array_key_exists('file', $_GET) ? (string) urldecode($_GET['file']) : ''; + $maxX = array_key_exists('x', $_GET) ? (int) $_GET['x'] : '44'; + $maxY = array_key_exists('y', $_GET) ? (int) $_GET['y'] : '44'; + $scalingup = array_key_exists('scalingup', $_GET) ? (bool) $_GET['scalingup'] : true; + + if($file === '') { + \OC_Response::setStatus(400); //400 Bad Request + \OC_Log::write('core-preview', 'No file parameter was passed', \OC_Log::DEBUG); + self::showErrorPreview(); + exit; + } + + if($maxX === 0 || $maxY === 0) { + \OC_Response::setStatus(400); //400 Bad Request + \OC_Log::write('core-preview', 'x and/or y set to 0', \OC_Log::DEBUG); + self::showErrorPreview(); + exit; + } + + try{ + $preview = new Preview(\OC_User::getUser(), 'files'); + $preview->setFile($file); + $preview->setMaxX($maxX); + $preview->setMaxY($maxY); + $preview->setScalingUp($scalingup); + + $preview->show(); + }catch(\Exception $e) { + \OC_Response::setStatus(500); + \OC_Log::write('core', $e->getmessage(), \OC_Log::ERROR); + self::showErrorPreview(); exit; } } @@ -599,94 +617,132 @@ class Preview { * @brief method that handles preview requests from users that are not logged in / view shared folders that are public * @return void */ - public static function publicPreviewRouter($params) { - $file = ''; - $maxX = 0; - $maxY = 0; - $scalingup = true; - $token = ''; - - $user = null; - $path = null; - - if(array_key_exists('file', $_GET)) $file = (string) urldecode($_GET['file']); - if(array_key_exists('x', $_GET)) $maxX = (int) $_GET['x']; - if(array_key_exists('y', $_GET)) $maxY = (int) $_GET['y']; - if(array_key_exists('scalingup', $_GET)) $scalingup = (bool) $_GET['scalingup']; - if(array_key_exists('t', $_GET)) $token = (string) $_GET['t']; - - $linkItem = \OCP\Share::getShareByToken($token); - - if (is_array($linkItem) && isset($linkItem['uid_owner']) && isset($linkItem['file_source'])) { - $userid = $linkItem['uid_owner']; - \OC_Util::setupFS($userid); - - $pathid = $linkItem['file_source']; - $path = \OC\Files\Filesystem::getPath($pathid); - $pathinfo = \OC\Files\Filesystem::getFileInfo($path); - - $sharedfile = null; - if($linkItem['item_type'] === 'folder') { - //clean up file parameter - $sharedfile = \OC\Files\Filesystem::normalizePath($file); - if(!\OC\Files\Filesystem::isValidPath($file)) { - \OC_Response::setStatus(403); - exit; - } - } else if($linkItem['item_type'] === 'file') { - $parent = $pathinfo['parent']; - $path = \OC\Files\Filesystem::getPath($parent); - $sharedfile = $pathinfo['name']; - } + public static function publicPreviewRouter() { + if(!\OC_App::isEnabled('files_sharing')){ + exit; + } - $path = \OC\Files\Filesystem::normalizePath($path, false); - if(substr($path, 0, 1) == '/') { - $path = substr($path, 1); - } + $file = array_key_exists('file', $_GET) ? (string) urldecode($_GET['file']) : ''; + $maxX = array_key_exists('x', $_GET) ? (int) $_GET['x'] : '44'; + $maxY = array_key_exists('y', $_GET) ? (int) $_GET['y'] : '44'; + $scalingup = array_key_exists('scalingup', $_GET) ? (bool) $_GET['scalingup'] : true; + $token = array_key_exists('t', $_GET) ? (string) $_GET['t'] : ''; + + if($token === ''){ + \OC_Response::setStatus(400); //400 Bad Request + \OC_Log::write('core-preview', 'No token parameter was passed', \OC_Log::DEBUG); + self::showErrorPreview(); + exit; } - if($userid !== null && $path !== null && $sharedfile !== null) { - try{ - $preview = new Preview($userid, 'files/' . $path, $sharedfile, $maxX, $maxY, $scalingup); - $preview->showPreview(); - }catch(\Exception $e) { - \OC_Response::setStatus(404); - \OC_Log::write('core', $e->getmessage(), \OC_Log::ERROR); + $linkedItem = \OCP\Share::getShareByToken($token); + if($linkedItem === false || ($linkedItem['item_type'] !== 'file' && $linkedItem['item_type'] !== 'folder')) { + \OC_Response::setStatus(404); + \OC_Log::write('core-preview', 'Passed token parameter is not valid', \OC_Log::DEBUG); + self::showErrorPreview(); + exit; + } + + if(!isset($linkedItem['uid_owner']) || !isset($linkedItem['file_source'])) { + \OC_Response::setStatus(500); + \OC_Log::write('core-preview', 'Passed token seems to be valid, but it does not contain all necessary information . ("' . $token . '")'); + self::showErrorPreview(); + exit; + } + + $userid = $linkedItem['uid_owner']; + \OC_Util::setupFS($userid); + + $pathid = $linkedItem['file_source']; + $path = \OC\Files\Filesystem::getPath($pathid); + $pathinfo = \OC\Files\Filesystem::getFileInfo($path); + $sharedfile = null; + + if($linkedItem['item_type'] === 'folder') { + $isvalid = \OC\File\Filesystem::isValidPath($file); + if(!$isvalid) { + \OC_Response::setStatus(400); //400 Bad Request + \OC_Log::write('core-preview', 'Passed filename is not valid, might be malicious (file:"' . $file . '";ip:"' . $_SERVER['REMOTE_ADDR'] . '")', \OC_Log::WARN); + self::showErrorPreview(); exit; } - }else{ - \OC_Response::setStatus(404); + $sharedfile = \OC\Files\Filesystem::normalizePath($file); + } + + if($linkedItem['item_type'] === 'file') { + $parent = $pathinfo['parent']; + $path = \OC\Files\Filesystem::getPath($parent); + $sharedfile = $pathinfo['name']; + } + + $path = \OC\Files\Filesystem::normalizePath($path, false); + if(substr($path, 0, 1) == '/') { + $path = substr($path, 1); + } + + if($maxX === 0 || $maxY === 0) { + \OC_Response::setStatus(400); //400 Bad Request + \OC_Log::write('core-preview', 'x and/or y set to 0', \OC_Log::DEBUG); + self::showErrorPreview(); + exit; + } + + $root = 'files/' . $path; + + try{ + $preview = new Preview($userid, $path); + $preview->setFile($file); + $preview->setMaxX($maxX); + $preview->setMaxY($maxY); + $preview->setScalingUp($scalingup); + + $preview->show(); + }catch(\Exception $e) { + \OC_Response::setStatus(500); + \OC_Log::write('core', $e->getmessage(), \OC_Log::ERROR); + self::showErrorPreview(); exit; } } public static function trashbinPreviewRouter() { + \OC_Util::checkLoggedIn(); + if(!\OC_App::isEnabled('files_trashbin')){ exit; } - \OC_Util::checkLoggedIn(); - $file = ''; - $maxX = 0; - $maxY = 0; - $scalingup = true; - - if(array_key_exists('file', $_GET)) $file = (string) urldecode($_GET['file']); - if(array_key_exists('x', $_GET)) $maxX = (int) $_GET['x']; - if(array_key_exists('y', $_GET)) $maxY = (int) $_GET['y']; - if(array_key_exists('scalingup', $_GET)) $scalingup = (bool) $_GET['scalingup']; - - if($file !== '' && $maxX !== 0 && $maxY !== 0) { - try{ - $preview = new Preview(\OC_User::getUser(), 'files_trashbin/files', $file, $maxX, $maxY, $scalingup); - $preview->showPreview(); - }catch(\Exception $e) { - \OC_Response::setStatus(404); - \OC_Log::write('core', $e->getmessage(), \OC_Log::ERROR); - exit; - } - }else{ - \OC_Response::setStatus(404); + $file = array_key_exists('file', $_GET) ? (string) urldecode($_GET['file']) : ''; + $maxX = array_key_exists('x', $_GET) ? (int) $_GET['x'] : '44'; + $maxY = array_key_exists('y', $_GET) ? (int) $_GET['y'] : '44'; + $scalingup = array_key_exists('scalingup', $_GET) ? (bool) $_GET['scalingup'] : true; + + if($file === '') { + \OC_Response::setStatus(400); //400 Bad Request + \OC_Log::write('core-preview', 'No file parameter was passed', \OC_Log::DEBUG); + self::showErrorPreview(); + exit; + } + + if($maxX === 0 || $maxY === 0) { + \OC_Response::setStatus(400); //400 Bad Request + \OC_Log::write('core-preview', 'x and/or y set to 0', \OC_Log::DEBUG); + self::showErrorPreview(); + exit; + } + + try{ + $preview = new Preview(\OC_User::getUser(), 'files_trashbin/files'); + $preview->setFile($file); + $preview->setMaxX($maxX); + $preview->setMaxY($maxY); + $preview->setScalingUp($scalingup); + + $preview->showPreview(); + }catch(\Exception $e) { + \OC_Response::setStatus(500); + \OC_Log::write('core', $e->getmessage(), \OC_Log::ERROR); + self::showErrorPreview(); exit; } } @@ -703,4 +759,11 @@ class Preview { $preview = new Preview(\OC_User::getUser(), 'files/', $path, 0, 0, false, true); $preview->deleteAllPreviews(); } + + private static function showErrorPreview() { + $path = \OC::$SERVERROOT . '/core/img/actions/delete.png'; + $preview = new \OC_Image($path); + $preview->preciseResize(44, 44); + $preview->show(); + } } \ No newline at end of file -- 2.39.5