summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoeland Jago Douma <rullzer@users.noreply.github.com>2019-06-27 16:36:30 +0200
committerGitHub <noreply@github.com>2019-06-27 16:36:30 +0200
commit5312a07f557f6440484db59cbc8d2d9a4327e83e (patch)
tree38ef44cde3f2331e02e01068aca02f3c9489d14e
parentbc6053eb2119b462f78098d72d665aba744826cb (diff)
parentf39605dabce9512887a086520791a7ac9a1af2ef (diff)
downloadnextcloud-server-5312a07f557f6440484db59cbc8d2d9a4327e83e.tar.gz
nextcloud-server-5312a07f557f6440484db59cbc8d2d9a4327e83e.zip
Merge pull request #16107 from nextcloud/local-check-path
verify that paths are valid for recursive local move
-rw-r--r--lib/private/Files/Storage/Local.php21
1 files changed, 21 insertions, 0 deletions
diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php
index 5f7232e64b3..e3e6ac783d9 100644
--- a/lib/private/Files/Storage/Local.php
+++ b/lib/private/Files/Storage/Local.php
@@ -39,6 +39,7 @@
namespace OC\Files\Storage;
+use OC\Files\Filesystem;
use OC\Files\Storage\Wrapper\Jail;
use OCP\Files\ForbiddenException;
use OCP\Files\Storage\IStorage;
@@ -231,6 +232,18 @@ class Local extends \OC\Files\Storage\Common {
}
+ private function treeContainsBlacklistedFile(string $path): bool {
+ $iterator = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($path));
+ foreach ($iterator as $file) {
+ /** @var \SplFileInfo $file */
+ if (Filesystem::isFileBlacklisted($file->getBasename())) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
public function rename($path1, $path2) {
$srcParent = dirname($path1);
$dstParent = dirname($path2);
@@ -267,6 +280,10 @@ class Local extends \OC\Files\Storage\Common {
}
return $result;
}
+
+ if ($this->treeContainsBlacklistedFile($this->getSourcePath($path1))) {
+ throw new ForbiddenException('Invalid path', false);
+ }
}
return rename($this->getSourcePath($path1), $this->getSourcePath($path2));
@@ -362,6 +379,10 @@ class Local extends \OC\Files\Storage\Common {
* @throws ForbiddenException
*/
public function getSourcePath($path) {
+ if (Filesystem::isFileBlacklisted($path)) {
+ throw new ForbiddenException('Invalid path', false);
+ }
+
$fullPath = $this->datadir . $path;
$currentPath = $path;
if ($this->allowSymlinks || $currentPath === '') {