diff options
author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-06-27 16:36:30 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-06-27 16:36:30 +0200 |
commit | 5312a07f557f6440484db59cbc8d2d9a4327e83e (patch) | |
tree | 38ef44cde3f2331e02e01068aca02f3c9489d14e | |
parent | bc6053eb2119b462f78098d72d665aba744826cb (diff) | |
parent | f39605dabce9512887a086520791a7ac9a1af2ef (diff) | |
download | nextcloud-server-5312a07f557f6440484db59cbc8d2d9a4327e83e.tar.gz nextcloud-server-5312a07f557f6440484db59cbc8d2d9a4327e83e.zip |
Merge pull request #16107 from nextcloud/local-check-path
verify that paths are valid for recursive local move
-rw-r--r-- | lib/private/Files/Storage/Local.php | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php index 5f7232e64b3..e3e6ac783d9 100644 --- a/lib/private/Files/Storage/Local.php +++ b/lib/private/Files/Storage/Local.php @@ -39,6 +39,7 @@ namespace OC\Files\Storage; +use OC\Files\Filesystem; use OC\Files\Storage\Wrapper\Jail; use OCP\Files\ForbiddenException; use OCP\Files\Storage\IStorage; @@ -231,6 +232,18 @@ class Local extends \OC\Files\Storage\Common { } + private function treeContainsBlacklistedFile(string $path): bool { + $iterator = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($path)); + foreach ($iterator as $file) { + /** @var \SplFileInfo $file */ + if (Filesystem::isFileBlacklisted($file->getBasename())) { + return true; + } + } + + return false; + } + public function rename($path1, $path2) { $srcParent = dirname($path1); $dstParent = dirname($path2); @@ -267,6 +280,10 @@ class Local extends \OC\Files\Storage\Common { } return $result; } + + if ($this->treeContainsBlacklistedFile($this->getSourcePath($path1))) { + throw new ForbiddenException('Invalid path', false); + } } return rename($this->getSourcePath($path1), $this->getSourcePath($path2)); @@ -362,6 +379,10 @@ class Local extends \OC\Files\Storage\Common { * @throws ForbiddenException */ public function getSourcePath($path) { + if (Filesystem::isFileBlacklisted($path)) { + throw new ForbiddenException('Invalid path', false); + } + $fullPath = $this->datadir . $path; $currentPath = $path; if ($this->allowSymlinks || $currentPath === '') { |