From f9f28000166628315a0e212ff51ef104242ab96f Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Tue, 9 Feb 2016 13:00:08 +0100 Subject: [PATCH] check share permissions in share controller --- .../lib/controllers/sharecontroller.php | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/apps/files_sharing/lib/controllers/sharecontroller.php b/apps/files_sharing/lib/controllers/sharecontroller.php index dae61a3537b..08679c88bb1 100644 --- a/apps/files_sharing/lib/controllers/sharecontroller.php +++ b/apps/files_sharing/lib/controllers/sharecontroller.php @@ -227,6 +227,16 @@ class ShareController extends Controller { } } + /** + * Validate the permissions of the share + * + * @param Share\IShare $share + * @return bool + */ + private function validateShare(\OCP\Share\IShare $share) { + return $share->getNode()->isReadable() && $share->getNode()->isShareable(); + } + /** * @PublicPage * @NoCSRFRequired @@ -253,6 +263,9 @@ class ShareController extends Controller { array('token' => $token))); } + if (!$this->validateShare($share)) { + throw new NotFoundException(); + } // We can't get the path of a file share try { if ($share->getNode() instanceof \OCP\Files\File && $path !== '') { @@ -371,6 +384,10 @@ class ShareController extends Controller { $userFolder = $this->rootFolder->getUserFolder($share->getShareOwner()); $originalSharePath = $userFolder->getRelativePath($share->getNode()->getPath()); + if (!$this->validateShare($share)) { + throw new NotFoundException(); + } + // Single file share if ($share->getNode() instanceof \OCP\Files\File) { // Single file download -- 2.39.5