This prevents a misusage of \OC\Files\View by calling it with user-supplied input. In such cases an exception is now thrown.tags/v8.1.0alpha1
@@ -36,7 +36,15 @@ class View { | |||
*/ | |||
protected $updater; | |||
/** | |||
* @param string $root | |||
* @throws \Exception If $root contains an invalid path | |||
*/ | |||
public function __construct($root = '') { | |||
if(!Filesystem::isValidPath($root)) { | |||
throw new \Exception(); | |||
} | |||
$this->fakeRoot = $root; | |||
$this->updater = new Updater($this); | |||
} |
@@ -894,4 +894,21 @@ class View extends \Test\TestCase { | |||
$this->assertFalse($view->unlink('foo.txt')); | |||
$this->assertTrue($cache->inCache('foo.txt')); | |||
} | |||
function directoryTraversalProvider() { | |||
return [ | |||
['../test/'], | |||
['..\\test\\my/../folder'], | |||
['/test/my/../foo\\'], | |||
]; | |||
} | |||
/** | |||
* @dataProvider directoryTraversalProvider | |||
* @expectedException \Exception | |||
* @param string $root | |||
*/ | |||
public function testConstructDirectoryTraversalException($root) { | |||
new \OC\Files\View($root); | |||
} | |||
} |