diff options
| author | Julius Härtl <jus@bitgrid.net> | 2024-06-21 11:37:47 +0200 |
|---|---|---|
| committer | Julius Härtl <jus@bitgrid.net> | 2024-07-22 22:32:34 +0200 |
| commit | 6c1e896a03f20e568df5af1d547f46e2df9b71a9 (patch) | |
| tree | 7dfae53a850091e284cc713f0158378fe7c663bf | |
| parent | 8cc996155e77e10a626906550a74953fb4a6928d (diff) | |
| download | nextcloud-server-6c1e896a03f20e568df5af1d547f46e2df9b71a9.tar.gz nextcloud-server-6c1e896a03f20e568df5af1d547f46e2df9b71a9.zip | |
fix: Ignore preview requests for invalid file ids
Signed-off-by: Julius Härtl <jus@bitgrid.net>
| -rw-r--r-- | apps/files/lib/Controller/ApiController.php | 4 | ||||
| -rw-r--r-- | apps/files/tests/Controller/ApiControllerTest.php | 12 | ||||
| -rw-r--r-- | core/Controller/PreviewController.php | 4 | ||||
| -rw-r--r-- | tests/Core/Controller/PreviewControllerTest.php | 1 |
4 files changed, 21 insertions, 0 deletions
diff --git a/apps/files/lib/Controller/ApiController.php b/apps/files/lib/Controller/ApiController.php index 64082fbfd85..9cf634f9404 100644 --- a/apps/files/lib/Controller/ApiController.php +++ b/apps/files/lib/Controller/ApiController.php @@ -93,6 +93,10 @@ class ApiController extends Controller { throw new NotFoundException(); } + if ($file->getId() <= 0) { + return new DataResponse(['message' => 'File not found.'], Http::STATUS_NOT_FOUND); + } + /** @var File $file */ $preview = $this->previewManager->getPreview($file, $x, $y, true); diff --git a/apps/files/tests/Controller/ApiControllerTest.php b/apps/files/tests/Controller/ApiControllerTest.php index 0093603c5f6..844fabc93a3 100644 --- a/apps/files/tests/Controller/ApiControllerTest.php +++ b/apps/files/tests/Controller/ApiControllerTest.php @@ -157,6 +157,7 @@ class ApiControllerTest extends TestCase { public function testGetThumbnailInvalidImage() { $file = $this->createMock(File::class); + $file->method('getId')->willReturn(123); $this->userFolder->method('get') ->with($this->equalTo('unknown.jpg')) ->willReturn($file); @@ -168,8 +169,19 @@ class ApiControllerTest extends TestCase { $this->assertEquals($expected, $this->apiController->getThumbnail(10, 10, 'unknown.jpg')); } + public function testGetThumbnailInvalidPartFile() { + $file = $this->createMock(File::class); + $file->method('getId')->willReturn(0); + $this->userFolder->method('get') + ->with($this->equalTo('unknown.jpg')) + ->willReturn($file); + $expected = new DataResponse(['message' => 'File not found.'], Http::STATUS_NOT_FOUND); + $this->assertEquals($expected, $this->apiController->getThumbnail(10, 10, 'unknown.jpg')); + } + public function testGetThumbnail() { $file = $this->createMock(File::class); + $file->method('getId')->willReturn(123); $this->userFolder->method('get') ->with($this->equalTo('known.jpg')) ->willReturn($file); diff --git a/core/Controller/PreviewController.php b/core/Controller/PreviewController.php index ffe761fd706..4ace295a6aa 100644 --- a/core/Controller/PreviewController.php +++ b/core/Controller/PreviewController.php @@ -141,6 +141,10 @@ class PreviewController extends Controller { return new DataResponse([], Http::STATUS_FORBIDDEN); } + if ($node->getId() <= 0) { + return new DataResponse([], Http::STATUS_NOT_FOUND); + } + $storage = $node->getStorage(); if ($storage->instanceOfStorage(SharedStorage::class)) { /** @var SharedStorage $storage */ diff --git a/tests/Core/Controller/PreviewControllerTest.php b/tests/Core/Controller/PreviewControllerTest.php index d330c1d5209..7c9a32eae38 100644 --- a/tests/Core/Controller/PreviewControllerTest.php +++ b/tests/Core/Controller/PreviewControllerTest.php @@ -187,6 +187,7 @@ class PreviewControllerTest extends \Test\TestCase { ->willReturn($userFolder); $file = $this->createMock(File::class); + $file->method('getId')->willReturn(123); $userFolder->method('get') ->with($this->equalTo('file')) ->willReturn($file); |