diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2016-12-02 10:03:02 +0100 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2016-12-02 13:03:56 +0100 |
| commit | 363963577c97b6f87df47f424ce6f43c82cadfab (patch) | |
| tree | 3b077ca5e92a32927f26a6e1af096f8f7e1904b7 /apps/dav | |
| parent | be1b2b723fcf510c6b12da6e2f7dd5be9f768895 (diff) | |
| download | nextcloud-server-363963577c97b6f87df47f424ce6f43c82cadfab.tar.gz nextcloud-server-363963577c97b6f87df47f424ce6f43c82cadfab.zip | |
Harden files drop
* Fail on MKCOL
* Only take filename ignore directories
* No need to parse query parameters
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'apps/dav')
| -rw-r--r-- | apps/dav/lib/Files/Sharing/FilesDropPlugin.php | 30 |
1 files changed, 10 insertions, 20 deletions
diff --git a/apps/dav/lib/Files/Sharing/FilesDropPlugin.php b/apps/dav/lib/Files/Sharing/FilesDropPlugin.php index 299427b1634..3485df09d0f 100644 --- a/apps/dav/lib/Files/Sharing/FilesDropPlugin.php +++ b/apps/dav/lib/Files/Sharing/FilesDropPlugin.php @@ -23,6 +23,7 @@ namespace OCA\DAV\Files\Sharing; use OC\Files\View; +use Sabre\DAV\Exception\MethodNotAllowed; use Sabre\DAV\ServerPlugin; use Sabre\HTTP\RequestInterface; use Sabre\HTTP\ResponseInterface; @@ -56,6 +57,7 @@ class FilesDropPlugin extends ServerPlugin { * @param \Sabre\DAV\Server $server Sabre server * * @return void + * @throws MethodNotAllowed */ public function initialize(\Sabre\DAV\Server $server) { $server->on('beforeMethod', [$this, 'beforeMethod'], 999); @@ -64,31 +66,19 @@ class FilesDropPlugin extends ServerPlugin { public function beforeMethod(RequestInterface $request, ResponseInterface $response){ - if (!$this->enabled || $request->getMethod() !== 'PUT') { + if (!$this->enabled) { return; } - $path = $request->getPath(); - - if ($this->view->file_exists($path)) { - $newName = \OC_Helper::buildNotExistingFileNameForView('/', $path, $this->view); - - $url = $request->getBaseUrl() . $newName . '?'; - $parms = $request->getQueryParameters(); - $first = true; - foreach ($parms as $k => $v) { - if ($first) { - $url .= '?'; - $first = false; - } else { - $url .= '&'; - } - $url .= $k . '=' . $v; - } - - $request->setUrl($url); + if ($request->getMethod() !== 'PUT') { + throw new MethodNotAllowed('Only PUT is allowed on files drop'); } + $path = explode('/', $request->getPath()); + $path = array_pop($path); + $newName = \OC_Helper::buildNotExistingFileNameForView('/', $path, $this->view); + $url = $request->getBaseUrl() . $newName; + $request->setUrl($url); } } |