diff options
author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-08-27 14:07:44 +0200 |
---|---|---|
committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-08-28 20:24:03 +0200 |
commit | bcd26323c1d9b480db4945c3d2de2d7c506d804c (patch) | |
tree | b3a46eb780074479a7cb472694fb0d6fff003d99 | |
parent | ef3bd0384918022458e57d593a8292549194074c (diff) | |
download | nextcloud-server-bcd26323c1d9b480db4945c3d2de2d7c506d804c.tar.gz nextcloud-server-bcd26323c1d9b480db4945c3d2de2d7c506d804c.zip |
fix: Also validate parent path in `verifyPath`
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
-rw-r--r-- | lib/private/Files/FilenameValidator.php | 6 | ||||
-rw-r--r-- | lib/private/Files/Storage/Common.php | 14 |
2 files changed, 17 insertions, 3 deletions
diff --git a/lib/private/Files/FilenameValidator.php b/lib/private/Files/FilenameValidator.php index 2fe3c93d026..fde45068df7 100644 --- a/lib/private/Files/FilenameValidator.php +++ b/lib/private/Files/FilenameValidator.php @@ -25,6 +25,8 @@ use Psr\Log\LoggerInterface; */ class FilenameValidator implements IFilenameValidator { + public const INVALID_FILE_TYPE = 100; + private IL10N $l10n; /** @@ -269,12 +271,12 @@ class FilenameValidator implements IFilenameValidator { */ protected function checkForbiddenExtension(string $filename): void { $filename = mb_strtolower($filename); - // Check for forbidden filename exten<sions + // Check for forbidden filename extensions $forbiddenExtensions = $this->getForbiddenExtensions(); foreach ($forbiddenExtensions as $extension) { if (str_ends_with($filename, $extension)) { if (str_starts_with($extension, '.')) { - throw new InvalidPathException($this->l10n->t('"%1$s" is a forbidden file type.', [$extension])); + throw new InvalidPathException($this->l10n->t('"%1$s" is a forbidden file type.', [$extension]), self::INVALID_FILE_TYPE); } else { throw new InvalidPathException($this->l10n->t('Filenames must not end with "%1$s".', [$extension])); } diff --git a/lib/private/Files/Storage/Common.php b/lib/private/Files/Storage/Common.php index a8f8c05ab54..5ffac31d682 100644 --- a/lib/private/Files/Storage/Common.php +++ b/lib/private/Files/Storage/Common.php @@ -13,6 +13,7 @@ use OC\Files\Cache\Propagator; use OC\Files\Cache\Scanner; use OC\Files\Cache\Updater; use OC\Files\Cache\Watcher; +use OC\Files\FilenameValidator; use OC\Files\Filesystem; use OC\Files\Storage\Wrapper\Jail; use OC\Files\Storage\Wrapper\Wrapper; @@ -494,7 +495,18 @@ abstract class Common implements Storage, ILockingStorage, IWriteStreamStorage { $this->getFilenameValidator() ->validateFilename($fileName); - // NOTE: $path will remain unverified for now + // verify also the path is valid + if ($path && $path !== '/' && $path !== '.') { + try { + $this->verifyPath(dirname($path), basename($path)); + } catch (InvalidPathException $e) { + // Ignore invalid file type exceptions on directories + if ($e->getCode() !== FilenameValidator::INVALID_FILE_TYPE) { + $l = \OCP\Util::getL10N('lib'); + throw new InvalidPathException($l->t('Invalid parent path'), previous: $e); + } + } + } } /** |