diff options
| author | Carl Schwan <carl@carlschwan.eu> | 2022-08-31 21:15:02 +0200 |
|---|---|---|
| committer | Côme Chilliet <come.chilliet@nextcloud.com> | 2023-04-24 17:17:53 +0200 |
| commit | b1ec7ff51f2ca3278314beffce547b579a050559 (patch) | |
| tree | 4769007e50f4c173540d43f8bf94623856ed5cae | |
| parent | 4953296b9e87037b742a463018974f4cda76752a (diff) | |
| download | nextcloud-server-b1ec7ff51f2ca3278314beffce547b579a050559.tar.gz nextcloud-server-b1ec7ff51f2ca3278314beffce547b579a050559.zip | |
Add missing taint analysis docblock comments, and improve escaping in some methods
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
| -rw-r--r-- | apps/dashboard/lib/Controller/LayoutApiController.php | 2 | ||||
| -rw-r--r-- | lib/private/Files/Filesystem.php | 1 | ||||
| -rw-r--r-- | lib/private/legacy/OC_App.php | 4 |
3 files changed, 5 insertions, 2 deletions
diff --git a/apps/dashboard/lib/Controller/LayoutApiController.php b/apps/dashboard/lib/Controller/LayoutApiController.php index 755470b7b07..8eb01be497e 100644 --- a/apps/dashboard/lib/Controller/LayoutApiController.php +++ b/apps/dashboard/lib/Controller/LayoutApiController.php @@ -31,7 +31,6 @@ use OCP\IConfig; use OCP\IRequest; class LayoutApiController extends OCSController { - /** @var IConfig */ private $config; /** @var string */ @@ -56,6 +55,7 @@ class LayoutApiController extends OCSController { * @return JSONResponse */ public function create(string $layout): JSONResponse { + $layout = htmlspecialchars($layout); $this->config->setUserValue($this->userId, 'dashboard', 'layout', $layout); return new JSONResponse(['layout' => $layout]); } diff --git a/lib/private/Files/Filesystem.php b/lib/private/Files/Filesystem.php index 367982eed72..c50fa1f9de9 100644 --- a/lib/private/Files/Filesystem.php +++ b/lib/private/Files/Filesystem.php @@ -642,6 +642,7 @@ class Filesystem { * @param bool $stripTrailingSlash whether to strip the trailing slash * @param bool $isAbsolutePath whether the given path is absolute * @param bool $keepUnicode true to disable unicode normalization + * @psalm-taint-escape file * @return string */ public static function normalizePath($path, $stripTrailingSlash = true, $isAbsolutePath = false, $keepUnicode = false) { diff --git a/lib/private/legacy/OC_App.php b/lib/private/legacy/OC_App.php index b28b2d38fbd..b1da6a1d2fb 100644 --- a/lib/private/legacy/OC_App.php +++ b/lib/private/legacy/OC_App.php @@ -85,12 +85,14 @@ class OC_App { * * @psalm-taint-escape file * @psalm-taint-escape include + * @psalm-taint-escape html + * @psalm-taint-escape has_quotes * * @param string $app AppId that needs to be cleaned * @return string */ public static function cleanAppId(string $app): string { - return str_replace(['\0', '/', '\\', '..'], '', $app); + return str_replace(['<', '>', '"', "'", '\0', '/', '\\', '..'], '', $app); } /** |