aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFerdinand Thiessen <opensource@fthiessen.de>2024-08-27 14:07:44 +0200
committerFerdinand Thiessen <opensource@fthiessen.de>2024-08-28 20:24:03 +0200
commitbcd26323c1d9b480db4945c3d2de2d7c506d804c (patch)
treeb3a46eb780074479a7cb472694fb0d6fff003d99
parentef3bd0384918022458e57d593a8292549194074c (diff)
downloadnextcloud-server-bcd26323c1d9b480db4945c3d2de2d7c506d804c.tar.gz
nextcloud-server-bcd26323c1d9b480db4945c3d2de2d7c506d804c.zip
fix: Also validate parent path in `verifyPath`
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
-rw-r--r--lib/private/Files/FilenameValidator.php6
-rw-r--r--lib/private/Files/Storage/Common.php14
2 files changed, 17 insertions, 3 deletions
diff --git a/lib/private/Files/FilenameValidator.php b/lib/private/Files/FilenameValidator.php
index 2fe3c93d026..fde45068df7 100644
--- a/lib/private/Files/FilenameValidator.php
+++ b/lib/private/Files/FilenameValidator.php
@@ -25,6 +25,8 @@ use Psr\Log\LoggerInterface;
*/
class FilenameValidator implements IFilenameValidator {
+ public const INVALID_FILE_TYPE = 100;
+
private IL10N $l10n;
/**
@@ -269,12 +271,12 @@ class FilenameValidator implements IFilenameValidator {
*/
protected function checkForbiddenExtension(string $filename): void {
$filename = mb_strtolower($filename);
- // Check for forbidden filename exten<sions
+ // Check for forbidden filename extensions
$forbiddenExtensions = $this->getForbiddenExtensions();
foreach ($forbiddenExtensions as $extension) {
if (str_ends_with($filename, $extension)) {
if (str_starts_with($extension, '.')) {
- throw new InvalidPathException($this->l10n->t('"%1$s" is a forbidden file type.', [$extension]));
+ throw new InvalidPathException($this->l10n->t('"%1$s" is a forbidden file type.', [$extension]), self::INVALID_FILE_TYPE);
} else {
throw new InvalidPathException($this->l10n->t('Filenames must not end with "%1$s".', [$extension]));
}
diff --git a/lib/private/Files/Storage/Common.php b/lib/private/Files/Storage/Common.php
index a8f8c05ab54..5ffac31d682 100644
--- a/lib/private/Files/Storage/Common.php
+++ b/lib/private/Files/Storage/Common.php
@@ -13,6 +13,7 @@ use OC\Files\Cache\Propagator;
use OC\Files\Cache\Scanner;
use OC\Files\Cache\Updater;
use OC\Files\Cache\Watcher;
+use OC\Files\FilenameValidator;
use OC\Files\Filesystem;
use OC\Files\Storage\Wrapper\Jail;
use OC\Files\Storage\Wrapper\Wrapper;
@@ -494,7 +495,18 @@ abstract class Common implements Storage, ILockingStorage, IWriteStreamStorage {
$this->getFilenameValidator()
->validateFilename($fileName);
- // NOTE: $path will remain unverified for now
+ // verify also the path is valid
+ if ($path && $path !== '/' && $path !== '.') {
+ try {
+ $this->verifyPath(dirname($path), basename($path));
+ } catch (InvalidPathException $e) {
+ // Ignore invalid file type exceptions on directories
+ if ($e->getCode() !== FilenameValidator::INVALID_FILE_TYPE) {
+ $l = \OCP\Util::getL10N('lib');
+ throw new InvalidPathException($l->t('Invalid parent path'), previous: $e);
+ }
+ }
+ }
}
/**