diff options
| author | Joas Schilling <213943+nickvergessen@users.noreply.github.com> | 2023-04-25 08:51:54 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-25 08:51:54 +0200 |
| commit | af214b6c1389d5ba526e059ccbe35eeb06c887d6 (patch) | |
| tree | 1c1ff8779d0a1cc0be9333b5518ac7a11bc940bf | |
| parent | e9aefb5251ff4a13affbda4a771d8522e01d25e4 (diff) | |
| parent | b1ec7ff51f2ca3278314beffce547b579a050559 (diff) | |
| download | nextcloud-server-af214b6c1389d5ba526e059ccbe35eeb06c887d6.tar.gz nextcloud-server-af214b6c1389d5ba526e059ccbe35eeb06c887d6.zip | |
Merge pull request #36378 from nextcloud/fix/improve-taint-analysis
Add missing taint analysis docblock comments, and improve escaping in…
| -rw-r--r-- | apps/dashboard/lib/Controller/LayoutApiController.php | 2 | ||||
| -rw-r--r-- | lib/private/Files/Filesystem.php | 1 | ||||
| -rw-r--r-- | lib/private/legacy/OC_App.php | 4 |
3 files changed, 5 insertions, 2 deletions
diff --git a/apps/dashboard/lib/Controller/LayoutApiController.php b/apps/dashboard/lib/Controller/LayoutApiController.php index 755470b7b07..8eb01be497e 100644 --- a/apps/dashboard/lib/Controller/LayoutApiController.php +++ b/apps/dashboard/lib/Controller/LayoutApiController.php @@ -31,7 +31,6 @@ use OCP\IConfig; use OCP\IRequest; class LayoutApiController extends OCSController { - /** @var IConfig */ private $config; /** @var string */ @@ -56,6 +55,7 @@ class LayoutApiController extends OCSController { * @return JSONResponse */ public function create(string $layout): JSONResponse { + $layout = htmlspecialchars($layout); $this->config->setUserValue($this->userId, 'dashboard', 'layout', $layout); return new JSONResponse(['layout' => $layout]); } diff --git a/lib/private/Files/Filesystem.php b/lib/private/Files/Filesystem.php index 367982eed72..c50fa1f9de9 100644 --- a/lib/private/Files/Filesystem.php +++ b/lib/private/Files/Filesystem.php @@ -642,6 +642,7 @@ class Filesystem { * @param bool $stripTrailingSlash whether to strip the trailing slash * @param bool $isAbsolutePath whether the given path is absolute * @param bool $keepUnicode true to disable unicode normalization + * @psalm-taint-escape file * @return string */ public static function normalizePath($path, $stripTrailingSlash = true, $isAbsolutePath = false, $keepUnicode = false) { diff --git a/lib/private/legacy/OC_App.php b/lib/private/legacy/OC_App.php index b28b2d38fbd..b1da6a1d2fb 100644 --- a/lib/private/legacy/OC_App.php +++ b/lib/private/legacy/OC_App.php @@ -85,12 +85,14 @@ class OC_App { * * @psalm-taint-escape file * @psalm-taint-escape include + * @psalm-taint-escape html + * @psalm-taint-escape has_quotes * * @param string $app AppId that needs to be cleaned * @return string */ public static function cleanAppId(string $app): string { - return str_replace(['\0', '/', '\\', '..'], '', $app); + return str_replace(['<', '>', '"', "'", '\0', '/', '\\', '..'], '', $app); } /** |