diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2014-02-20 11:16:43 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2014-02-20 11:16:43 +0100 |
| commit | 65c0b73c8783e03418a861e62a7e2bba8515a9fe (patch) | |
| tree | 13ca684bb4a583dbac2fbceb3e210f95f999acbe /core | |
| parent | 3bd984ebf08f2a5c1342e799f2610862fe768720 (diff) | |
| parent | c19cacb29f263558f052ccd8d78033d63326589e (diff) | |
| download | nextcloud-server-65c0b73c8783e03418a861e62a7e2bba8515a9fe.tar.gz nextcloud-server-65c0b73c8783e03418a861e62a7e2bba8515a9fe.zip | |
Merge pull request #7255 from owncloud/fix-admin-remote
An admin should not be able to add remote and public services on its own
Diffstat (limited to 'core')
| -rw-r--r-- | core/ajax/appconfig.php | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 4f26dedc797..05b7572c6d7 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -9,28 +9,43 @@ OC_Util::checkAdminUser(); OCP\JSON::callCheck(); $action=isset($_POST['action'])?$_POST['action']:$_GET['action']; + +if(isset($_POST['app']) || isset($_GET['app'])) { + $app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); +} + +// An admin should not be able to add remote and public services +// on its own. This should only be possible programmatically. +// This change is due the fact that an admin may not be expected +// to execute arbitrary code in every environment. +if($app === 'core' && isset($_POST['key']) &&(substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { + OC_JSON::error(array('data' => array('message' => 'Unexpected error!'))); + return; +} + $result=false; switch($action) { case 'getValue': - $result=OC_Appconfig::getValue($_GET['app'], $_GET['key'], $_GET['defaultValue']); + $result=OC_Appconfig::getValue($app, $_GET['key'], $_GET['defaultValue']); break; case 'setValue': - $result=OC_Appconfig::setValue($_POST['app'], $_POST['key'], $_POST['value']); + $result=OC_Appconfig::setValue($app, $_POST['key'], $_POST['value']); break; case 'getApps': $result=OC_Appconfig::getApps(); break; case 'getKeys': - $result=OC_Appconfig::getKeys($_GET['app']); + $result=OC_Appconfig::getKeys($app); break; case 'hasKey': - $result=OC_Appconfig::hasKey($_GET['app'], $_GET['key']); + $result=OC_Appconfig::hasKey($app, $_GET['key']); break; case 'deleteKey': - $result=OC_Appconfig::deleteKey($_POST['app'], $_POST['key']); + $result=OC_Appconfig::deleteKey($app, $_POST['key']); break; case 'deleteApp': - $result=OC_Appconfig::deleteApp($_POST['app']); + $result=OC_Appconfig::deleteApp($app); break; } OC_JSON::success(array('data'=>$result)); + |