Prevent directory traversals in ctr of \OC\Files\View

This prevents a misusage of \OC\Files\View by calling it with user-supplied input. In such cases an exception is now thrown.

2 files changed, 25 insertions, 0 deletions

diff --git a/lib/private/files/view.php b/lib/private/files/view.php
index 3bc9fdff1ee..3dfd4d0c105 100644
--- a/lib/private/files/view.php
+++ b/lib/private/files/view.php
@@ -36,7 +36,15 @@ class View {
 	 */
 	protected $updater;
 
+	/**
+	 * @param string $root
+	 * @throws \Exception If $root contains an invalid path
+	 */
 	public function __construct($root = '') {
+		if(!Filesystem::isValidPath($root)) {
+			throw new \Exception();
+		}
+
 		$this->fakeRoot = $root;
 		$this->updater = new Updater($this);
 	}
diff --git a/tests/lib/files/view.php b/tests/lib/files/view.php
index f6af59d52be..b4b6d0deb2e 100644
--- a/tests/lib/files/view.php
+++ b/tests/lib/files/view.php
@@ -894,4 +894,21 @@ class View extends \Test\TestCase {
 		$this->assertFalse($view->unlink('foo.txt'));
 		$this->assertTrue($cache->inCache('foo.txt'));
 	}
+
+	function directoryTraversalProvider() {
+		return [
+			['../test/'],
+			['..\\test\\my/../folder'],
+			['/test/my/../foo\\'],
+		];
+	}
+
+	/**
+	 * @dataProvider directoryTraversalProvider
+	 * @expectedException \Exception
+	 * @param string $root
+	 */
+	public function testConstructDirectoryTraversalException($root) {
+		new \OC\Files\View($root);
+	}
 }