summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Müller <thomas.mueller@tmit.eu>2015-02-19 10:27:04 +0100
committerThomas Müller <thomas.mueller@tmit.eu>2015-02-19 10:27:04 +0100
commit84eb00e428693f504acd9ece413497b751f3b397 (patch)
tree6373356bcff78b3346b785ae6d2aeb131058ee18
parent294137dda6bbe093c0c1811d19b24bf4b31912ed (diff)
parent46ca0fa481788de87acd4d68a65f60702a1f08e8 (diff)
downloadnextcloud-server-84eb00e428693f504acd9ece413497b751f3b397.tar.gz
nextcloud-server-84eb00e428693f504acd9ece413497b751f3b397.zip
Merge pull request #14342 from owncloud/disallow-path-traversals-in-file-view
Disallow path traversals in file view
-rw-r--r--lib/private/files/view.php138
-rw-r--r--tests/lib/files/view.php17
2 files changed, 149 insertions, 6 deletions
diff --git a/lib/private/files/view.php b/lib/private/files/view.php
index 120efa0f052..de1e6e17e30 100644
--- a/lib/private/files/view.php
+++ b/lib/private/files/view.php
@@ -6,6 +6,12 @@
* See the COPYING-README file.
*/
+
+namespace OC\Files;
+
+use OC\Files\Cache\Updater;
+use OC\Files\Mount\MoveableMount;
+
/**
* Class to provide access to ownCloud filesystem via a "view", and methods for
* working with files within that view (e.g. read, write, delete, etc.). Each
@@ -22,12 +28,6 @@
* Filesystem functions are not called directly; they are passed to the correct
* \OC\Files\Storage\Storage object
*/
-
-namespace OC\Files;
-
-use OC\Files\Cache\Updater;
-use OC\Files\Mount\MoveableMount;
-
class View {
private $fakeRoot = '';
@@ -36,7 +36,15 @@ class View {
*/
protected $updater;
+ /**
+ * @param string $root
+ * @throws \Exception If $root contains an invalid path
+ */
public function __construct($root = '') {
+ if(!Filesystem::isValidPath($root)) {
+ throw new \Exception();
+ }
+
$this->fakeRoot = $root;
$this->updater = new Updater($this);
}
@@ -242,11 +250,19 @@ class View {
return $this->basicOperation('opendir', $path, array('read'));
}
+ /**
+ * @param $handle
+ * @return mixed
+ */
public function readdir($handle) {
$fsLocal = new Storage\Local(array('datadir' => '/'));
return $fsLocal->readdir($handle);
}
+ /**
+ * @param string $path
+ * @return bool|mixed
+ */
public function is_dir($path) {
if ($path == '/') {
return true;
@@ -254,6 +270,10 @@ class View {
return $this->basicOperation('is_dir', $path);
}
+ /**
+ * @param string $path
+ * @return bool|mixed
+ */
public function is_file($path) {
if ($path == '/') {
return false;
@@ -261,18 +281,35 @@ class View {
return $this->basicOperation('is_file', $path);
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function stat($path) {
return $this->basicOperation('stat', $path);
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function filetype($path) {
return $this->basicOperation('filetype', $path);
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function filesize($path) {
return $this->basicOperation('filesize', $path);
}
+ /**
+ * @param string $path
+ * @return bool|mixed
+ * @throws \OCP\Files\InvalidPathException
+ */
public function readfile($path) {
$this->assertPathLength($path);
@ob_end_clean();
@@ -289,18 +326,34 @@ class View {
return false;
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function isCreatable($path) {
return $this->basicOperation('isCreatable', $path);
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function isReadable($path) {
return $this->basicOperation('isReadable', $path);
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function isUpdatable($path) {
return $this->basicOperation('isUpdatable', $path);
}
+ /**
+ * @param string $path
+ * @return bool|mixed
+ */
public function isDeletable($path) {
$absolutePath = $this->getAbsolutePath($path);
$mount = Filesystem::getMountManager()->find($absolutePath);
@@ -310,10 +363,18 @@ class View {
return $this->basicOperation('isDeletable', $path);
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function isSharable($path) {
return $this->basicOperation('isSharable', $path);
}
+ /**
+ * @param string $path
+ * @return bool|mixed
+ */
public function file_exists($path) {
if ($path == '/') {
return true;
@@ -321,10 +382,19 @@ class View {
return $this->basicOperation('file_exists', $path);
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function filemtime($path) {
return $this->basicOperation('filemtime', $path);
}
+ /**
+ * @param string $path
+ * @param int|string $mtime
+ * @return bool
+ */
public function touch($path, $mtime = null) {
if (!is_null($mtime) and !is_numeric($mtime)) {
$mtime = strtotime($mtime);
@@ -352,10 +422,19 @@ class View {
return true;
}
+ /**
+ * @param string $path
+ * @return mixed
+ */
public function file_get_contents($path) {
return $this->basicOperation('file_get_contents', $path, array('read'));
}
+ /**
+ * @param bool $exists
+ * @param string $path
+ * @param bool $run
+ */
protected function emit_file_hooks_pre($exists, $path, &$run) {
if (!$exists) {
\OC_Hook::emit(Filesystem::CLASSNAME, Filesystem::signal_create, array(
@@ -374,6 +453,10 @@ class View {
));
}
+ /**
+ * @param bool $exists
+ * @param string $path
+ */
protected function emit_file_hooks_post($exists, $path) {
if (!$exists) {
\OC_Hook::emit(Filesystem::CLASSNAME, Filesystem::signal_post_create, array(
@@ -389,6 +472,11 @@ class View {
));
}
+ /**
+ * @param string $path
+ * @param mixed $data
+ * @return bool|mixed
+ */
public function file_put_contents($path, $data) {
if (is_resource($data)) { //not having to deal with streams in file_put_contents makes life easier
$absolutePath = Filesystem::normalizePath($this->getAbsolutePath($path));
@@ -428,6 +516,10 @@ class View {
}
}
+ /**
+ * @param string $path
+ * @return bool|mixed
+ */
public function unlink($path) {
if ($path === '' || $path === '/') {
// do not allow deleting the root
@@ -564,6 +656,12 @@ class View {
}
}
+ /**
+ * @param string $path1
+ * @param string $path2
+ * @param bool $preserveMtime
+ * @return bool|mixed
+ */
public function copy($path1, $path2, $preserveMtime = false) {
$postFix1 = (substr($path1, -1, 1) === '/') ? '/' : '';
$postFix2 = (substr($path2, -1, 1) === '/') ? '/' : '';
@@ -689,6 +787,11 @@ class View {
return $this->basicOperation('fopen', $path, $hooks, $mode);
}
+ /**
+ * @param string $path
+ * @return bool|string
+ * @throws \OCP\Files\InvalidPathException
+ */
public function toTmpFile($path) {
$this->assertPathLength($path);
if (Filesystem::isValidPath($path)) {
@@ -706,6 +809,12 @@ class View {
}
}
+ /**
+ * @param string $tmpFile
+ * @param string $path
+ * @return bool|mixed
+ * @throws \OCP\Files\InvalidPathException
+ */
public function fromTmpFile($tmpFile, $path) {
$this->assertPathLength($path);
if (Filesystem::isValidPath($path)) {
@@ -737,11 +846,23 @@ class View {
}
}
+
+ /**
+ * @param string $path
+ * @return mixed
+ * @throws \OCP\Files\InvalidPathException
+ */
public function getMimeType($path) {
$this->assertPathLength($path);
return $this->basicOperation('getMimeType', $path);
}
+ /**
+ * @param string $type
+ * @param string $path
+ * @param bool $raw
+ * @return bool|null|string
+ */
public function hash($type, $path, $raw = false) {
$postFix = (substr($path, -1, 1) === '/') ? '/' : '';
$absolutePath = Filesystem::normalizePath($this->getAbsolutePath($path));
@@ -767,6 +888,11 @@ class View {
return null;
}
+ /**
+ * @param string $path
+ * @return mixed
+ * @throws \OCP\Files\InvalidPathException
+ */
public function free_space($path = '/') {
$this->assertPathLength($path);
return $this->basicOperation('free_space', $path);
diff --git a/tests/lib/files/view.php b/tests/lib/files/view.php
index f6af59d52be..b4b6d0deb2e 100644
--- a/tests/lib/files/view.php
+++ b/tests/lib/files/view.php
@@ -894,4 +894,21 @@ class View extends \Test\TestCase {
$this->assertFalse($view->unlink('foo.txt'));
$this->assertTrue($cache->inCache('foo.txt'));
}
+
+ function directoryTraversalProvider() {
+ return [
+ ['../test/'],
+ ['..\\test\\my/../folder'],
+ ['/test/my/../foo\\'],
+ ];
+ }
+
+ /**
+ * @dataProvider directoryTraversalProvider
+ * @expectedException \Exception
+ * @param string $root
+ */
+ public function testConstructDirectoryTraversalException($root) {
+ new \OC\Files\View($root);
+ }
}