Merge pull request #4969 from owncloud/fixing-4043-master

adding privilege check on move and rename operations

2 files changed, 52 insertions, 3 deletions

diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 0bffa58af78..29b7f9e53a5 100644
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 */
 	public function setName($name) {
 
+		// rename is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
 		list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
 
@@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 *  Even if the modification time is set to a custom value the access time is set to now.
 	 */
 	public function touch($mtime) {
+
+		// touch is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		\OC\Files\Filesystem::touch($this->path, $mtime);
 	}
 
diff --git a/lib/connector/sabre/objecttree.php b/lib/connector/sabre/objecttree.php
index acff45ed5e2..80c3840b99d 100644
--- a/lib/connector/sabre/objecttree.php
+++ b/lib/connector/sabre/objecttree.php
@@ -11,6 +11,14 @@ namespace OC\Connector\Sabre;
 use OC\Files\Filesystem;
 
 class ObjectTree extends \Sabre_DAV_ObjectTree {
+
+	/**
+	 * keep this public to allow mock injection during unit test
+	 *
+	 * @var \OC\Files\View
+	 */
+	public $fileView;
+
 	/**
 	 * Returns the INode object for the requested path
 	 *
@@ -21,14 +29,16 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 	public function getNodeForPath($path) {
 
 		$path = trim($path, '/');
-		if (isset($this->cache[$path])) return $this->cache[$path];
+		if (isset($this->cache[$path])) {
+			return $this->cache[$path];
+		}
 
 		// Is it the root node?
 		if (!strlen($path)) {
 			return $this->rootNode;
 		}
 
-		$info = Filesystem::getFileInfo($path);
+		$info = $this->getFileView()->getFileInfo($path);
 
 		if (!$info) {
 			throw new \Sabre_DAV_Exception_NotFound('File with name ' . $path . ' could not be located');
@@ -64,7 +74,25 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 		list($sourceDir,) = \Sabre_DAV_URLUtil::splitPath($sourcePath);
 		list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destinationPath);
 
-		Filesystem::rename($sourcePath, $destinationPath);
+		// check update privileges
+		$fs = $this->getFileView();
+		if (!$fs->isUpdatable($sourcePath)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+		if ($sourceDir !== $destinationDir) {
+			// for a full move we need update privileges on sourcePath and sourceDir as well as destinationDir
+			if (!$fs->isUpdatable($sourceDir)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+			if (!$fs->isUpdatable($destinationDir)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+		}
+
+		$renameOkay = $fs->rename($sourcePath, $destinationPath);
+		if (!$renameOkay) {
+			throw new \Sabre_DAV_Exception_Forbidden('');
+		}
 
 		$this->markDirty($sourceDir);
 		$this->markDirty($destinationDir);
@@ -101,4 +129,14 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 		list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destination);
 		$this->markDirty($destinationDir);
 	}
+
+	/**
+	 * @return \OC\Files\View
+	 */
+	public function getFileView() {
+		if (is_null($this->fileView)) {
+			$this->fileView = \OC\Files\Filesystem::getView();
+		}
+		return $this->fileView;
+	}
 }