verify the path in the autoloader

1 files changed, 32 insertions, 1 deletions

diff --git a/lib/autoloader.php b/lib/autoloader.php
index 23285f61e73..010318a65be 100644
--- a/lib/autoloader.php
+++ b/lib/autoloader.php
@@ -34,13 +34,34 @@ class Autoloader {
 
 	private $classPaths = array();
 
+	private $validRoots = [];
+
 	/**
 	 * Optional low-latency memory cache for class to path mapping.
+	 *
 	 * @var \OC\Memcache\Cache
 	 */
 	protected $memoryCache;
 
 	/**
+	 * Autoloader constructor.
+	 *
+	 * @param string[] $validRoots
+	 */
+	public function __construct(array $validRoots) {
+		$this->validRoots = $validRoots;
+	}
+
+	/**
+	 * Add a path to the list of valid php roots for auto loading
+	 *
+	 * @param string $root
+	 */
+	public function addValidRoot($root) {
+		$this->validRoots[] = $root;
+	}
+
+	/**
 	 * disable the usage of the global classpath \OC::$CLASSPATH
 	 */
 	public function disableGlobalClassPath() {
@@ -102,6 +123,15 @@ class Autoloader {
 		return $paths;
 	}
 
+	protected function isValidPath($fullPath) {
+		foreach ($this->validRoots as $root) {
+			if (substr($fullPath, 0, strlen($root) + 1) === $root . '/') {
+				return true;
+			}
+		}
+		throw new \Exception('Path not allowed');
+	}
+
 	/**
 	 * Load the specified class
 	 *
@@ -119,7 +149,7 @@ class Autoloader {
 			$pathsToRequire = array();
 			foreach ($this->findClass($class) as $path) {
 				$fullPath = stream_resolve_include_path($path);
-				if ($fullPath) {
+				if ($fullPath && $this->isValidPath($fullPath)) {
 					$pathsToRequire[] = $fullPath;
 				}
 			}
@@ -138,6 +168,7 @@ class Autoloader {
 
 	/**
 	 * Sets the optional low-latency cache for class to path mapping.
+	 *
 	 * @param \OC\Memcache\Cache $memoryCache Instance of memory cache.
 	 */
 	public function setMemoryCache(\OC\Memcache\Cache $memoryCache = null) {