aboutsummaryrefslogtreecommitdiffstats
path: root/lib/base.php
diff options
context:
space:
mode:
authorGeorg Ehrke <dev@georgswebsite.de>2012-04-26 17:55:00 +0200
committerGeorg Ehrke <dev@georgswebsite.de>2012-04-26 17:55:00 +0200
commit40f95ffdf3edf9ab45c15bd5b9018d7f4d92baa9 (patch)
treeaf8aeba6f15770a2d07e9489dfc9490572b0d2e6 /lib/base.php
parent0249a72caba9f1a4eeaf51f382a74fe61b66c284 (diff)
downloadnextcloud-server-40f95ffdf3edf9ab45c15bd5b9018d7f4d92baa9.tar.gz
nextcloud-server-40f95ffdf3edf9ab45c15bd5b9018d7f4d92baa9.zip
fix security check for the path of the requested file
Diffstat (limited to 'lib/base.php')
-rw-r--r--lib/base.php14
1 files changed, 11 insertions, 3 deletions
diff --git a/lib/base.php b/lib/base.php
index bb6dc3d8d70..74693641f6e 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -276,7 +276,7 @@ class OC{
}
public static function loadapp(){
- if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP)){
+ if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php')){
require_once(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php');
}else{
trigger_error('The requested App was not found.', E_USER_ERROR);//load default app instead?
@@ -414,7 +414,7 @@ class OC{
register_shutdown_function(array('OC_Helper','cleanTmp'));
self::$REQUESTEDAPP = (isset($_GET['app'])?strip_tags($_GET['app']):'files');
- self::$REQUESTEDFILE = $_GET['getfile'];
+ self::$REQUESTEDFILE = (isset($_GET['getfile'])?$_GET['getfile']:null);
if(substr_count(self::$REQUESTEDFILE, '?') != 0){
$file = substr(self::$REQUESTEDFILE, 0, strpos(self::$REQUESTEDFILE, '?'));
$param = substr(self::$REQUESTEDFILE, strpos(self::$REQUESTEDFILE, '?') + 1);
@@ -423,7 +423,15 @@ class OC{
self::$REQUESTEDFILE = $file;
$_GET['getfile'] = $file;
}
- self::$REQUESTEDFILE = (isset($_GET['getfile'])?(OC_Helper::issubdirectory(OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE, OC::$APPSROOT . '/' . self::$REQUESTEDAPP)?self::$REQUESTEDFILE:null):null);
+ if(!is_null(self::$REQUESTEDFILE)){
+ $subdir = OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE;
+ $parent = OC::$APPSROOT . '/' . self::$REQUESTEDAPP;
+ if(!OC_Helper::issubdirectory($subdir, $parent)){
+ self::$REQUESTEDFILE = null;
+ //header('HTTP/1.0 404 Not Found');
+ exit;
+ }
+ }
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-10 06:58:35 +0000