summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg Ehrke <dev@georgswebsite.de>2012-04-26 17:55:00 +0200
committerGeorg Ehrke <dev@georgswebsite.de>2012-04-26 17:55:00 +0200
commit40f95ffdf3edf9ab45c15bd5b9018d7f4d92baa9 (patch)
treeaf8aeba6f15770a2d07e9489dfc9490572b0d2e6
parent0249a72caba9f1a4eeaf51f382a74fe61b66c284 (diff)
downloadnextcloud-server-40f95ffdf3edf9ab45c15bd5b9018d7f4d92baa9.tar.gz
nextcloud-server-40f95ffdf3edf9ab45c15bd5b9018d7f4d92baa9.zip
fix security check for the path of the requested file
-rw-r--r--apps/files/js/fileactions.js2
-rw-r--r--apps/files/js/files.js2
-rw-r--r--core/js/js.js5
-rw-r--r--lib/base.php14
-rwxr-xr-xlib/helper.php19
5 files changed, 33 insertions, 9 deletions
diff --git a/apps/files/js/fileactions.js b/apps/files/js/fileactions.js
index fc6c99262ef..481802e0d63 100644
--- a/apps/files/js/fileactions.js
+++ b/apps/files/js/fileactions.js
@@ -135,7 +135,7 @@ $(document).ready(function(){
var downloadScope = 'file';
}
FileActions.register(downloadScope,'Download',function(){return OC.imagePath('core','actions/download')},function(filename){
- window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val()));
+ window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val());
});
});
diff --git a/apps/files/js/files.js b/apps/files/js/files.js
index 4637d3cb64d..9d83e5e6d26 100644
--- a/apps/files/js/files.js
+++ b/apps/files/js/files.js
@@ -140,7 +140,7 @@ $(document).ready(function() {
var dir=$('#dir').val()||'/';
$('#notification').text(t('files','generating ZIP-file, it may take some time.'));
$('#notification').fadeIn();
- window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir));
+ window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir);
return false;
});
diff --git a/core/js/js.js b/core/js/js.js
index 84875ca162f..12303d7dd91 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -53,13 +53,12 @@ OC={
filePath:function(app,type,file){
var isCore=OC.coreApps.indexOf(app)!=-1;
var link=OC.webroot;
- var splitted = file.split('?');
- if((splitted[0].substring(splitted[0].length-3) == 'php' || splitted[0].substring(splitted[0].length-3) == 'css') && !isCore){
+ if((file.substring(file.length-3) == 'php' || file.substring(file.length-3) == 'css') && !isCore){
link+='/?app=' + app + '&getfile=';
if(type){
link+=encodeURI(type + '/');
}
- link+= file + '?' + splitted[1];
+ link+= file;
}else if(file.substring(file.length-3) != 'php' && !isCore){
link=OC.appswebroot;
link+='/';
diff --git a/lib/base.php b/lib/base.php
index bb6dc3d8d70..74693641f6e 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -276,7 +276,7 @@ class OC{
}
public static function loadapp(){
- if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP)){
+ if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php')){
require_once(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php');
}else{
trigger_error('The requested App was not found.', E_USER_ERROR);//load default app instead?
@@ -414,7 +414,7 @@ class OC{
register_shutdown_function(array('OC_Helper','cleanTmp'));
self::$REQUESTEDAPP = (isset($_GET['app'])?strip_tags($_GET['app']):'files');
- self::$REQUESTEDFILE = $_GET['getfile'];
+ self::$REQUESTEDFILE = (isset($_GET['getfile'])?$_GET['getfile']:null);
if(substr_count(self::$REQUESTEDFILE, '?') != 0){
$file = substr(self::$REQUESTEDFILE, 0, strpos(self::$REQUESTEDFILE, '?'));
$param = substr(self::$REQUESTEDFILE, strpos(self::$REQUESTEDFILE, '?') + 1);
@@ -423,7 +423,15 @@ class OC{
self::$REQUESTEDFILE = $file;
$_GET['getfile'] = $file;
}
- self::$REQUESTEDFILE = (isset($_GET['getfile'])?(OC_Helper::issubdirectory(OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE, OC::$APPSROOT . '/' . self::$REQUESTEDAPP)?self::$REQUESTEDFILE:null):null);
+ if(!is_null(self::$REQUESTEDFILE)){
+ $subdir = OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE;
+ $parent = OC::$APPSROOT . '/' . self::$REQUESTEDAPP;
+ if(!OC_Helper::issubdirectory($subdir, $parent)){
+ self::$REQUESTEDFILE = null;
+ //header('HTTP/1.0 404 Not Found');
+ exit;
+ }
+ }
}
}
diff --git a/lib/helper.php b/lib/helper.php
index a89aa4d37fc..1d9862bf8b1 100755
--- a/lib/helper.php
+++ b/lib/helper.php
@@ -560,6 +560,23 @@ class OC_Helper {
* @return bool
*/
public static function issubdirectory($sub, $parent){
- return (substr(realpath($sub), 0, strlen(realpath($parent))) == realpath($parent))?true:false;
+ if($sub == null || $sub == '' || $parent == null || $parent == ''){
+ return false;
+ }
+ $realpath_sub = realpath($sub);
+ $realpath_parent = realpath($parent);
+ if(($realpath_sub == false && substr_count($realpath_sub, './') != 0) || ($realpath_parent == false && substr_count($realpath_parent, './') != 0)){ //it checks for both ./ and ../
+ return false;
+ }
+ if($realpath_sub && $realpath_sub != '' && $realpath_parent && $realpath_parent != ''){
+ if(substr($sub, 0, strlen($parent)) == $parent){
+ return true;
+ }
+ }else{
+ if(substr($realpath_sub, 0, strlen($realpath_parent)) == $realpath_parent){
+ return true;
+ }
+ }
+ return false;
}
}