aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Müller <thomas.mueller@tmit.eu>2013-09-24 13:26:12 +0200
committerThomas Müller <thomas.mueller@tmit.eu>2013-09-24 13:26:12 +0200
commitee1f627155cad4153f3da3160ca6040c137841d3 (patch)
tree64864c6ffec1d150fe68a1136a72d92327ea11d5
parent40871bab88159d914cfab2dd938a2312ed8eb1c1 (diff)
downloadnextcloud-server-ee1f627155cad4153f3da3160ca6040c137841d3.tar.gz
nextcloud-server-ee1f627155cad4153f3da3160ca6040c137841d3.zip
adding privilege check on move and rename operations
-rw-r--r--lib/connector/sabre/node.php11
-rw-r--r--lib/connector/sabre/objecttree.php24
2 files changed, 34 insertions, 1 deletions
diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 0bffa58af78..29b7f9e53a5 100644
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
*/
public function setName($name) {
+ // rename is only allowed if the update privilege is granted
+ if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+
list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
@@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
* Even if the modification time is set to a custom value the access time is set to now.
*/
public function touch($mtime) {
+
+ // touch is only allowed if the update privilege is granted
+ if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+
\OC\Files\Filesystem::touch($this->path, $mtime);
}
diff --git a/lib/connector/sabre/objecttree.php b/lib/connector/sabre/objecttree.php
index acff45ed5e2..7accf98c8e1 100644
--- a/lib/connector/sabre/objecttree.php
+++ b/lib/connector/sabre/objecttree.php
@@ -64,7 +64,29 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
list($sourceDir,) = \Sabre_DAV_URLUtil::splitPath($sourcePath);
list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destinationPath);
- Filesystem::rename($sourcePath, $destinationPath);
+ // check update privileges
+ if ($sourceDir === $destinationDir) {
+ // for renaming it's enough to check if the sourcePath can be updated
+ if (!\OC\Files\Filesystem::isUpdatable($sourcePath)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+ } else {
+ // for a full move we need update privileges on sourcePath and sourceDir as well as destinationDir
+ if (!\OC\Files\Filesystem::isUpdatable($sourcePath)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+ if (!\OC\Files\Filesystem::isUpdatable($sourceDir)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+ if (!\OC\Files\Filesystem::isUpdatable($destinationDir)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+ }
+
+ $renameOkay = Filesystem::rename($sourcePath, $destinationPath);
+ if (!$renameOkay) {
+ throw new \Sabre_DAV_Exception_Forbidden('');
+ }
$this->markDirty($sourceDir);
$this->markDirty($destinationDir);