Filter potential dangerous filenames for avatars

We don't want to have users misusing this API resulting in a potential file disclosure of "avatar.(jpg|png)" files.

1 files changed, 10 insertions, 4 deletions

diff --git a/lib/private/avatar.php b/lib/private/avatar.php
index e3c9eb2bb05..61a179810f2 100644
--- a/lib/private/avatar.php
+++ b/lib/private/avatar.php
@@ -8,6 +8,7 @@
  * @author Robin McCorkell <rmccorkell@karoshi.org.uk>
  * @author Roeland Jago Douma <roeland@famdouma.nl>
  * @author Thomas Müller <thomas.mueller@tmit.eu>
+ * @author Lukas Reschke <lukas@owncloud.com>
  *
  * @copyright Copyright (c) 2015, ownCloud, Inc.
  * @license AGPL-3.0
@@ -26,23 +27,28 @@
  *
  */
 
- namespace OC;
+namespace OC;
 
- use OC_Image;
+use OC\Files\Filesystem;
+use OC_Image;
 
 /**
  * This class gets and sets users avatars.
  */
 
 class Avatar implements \OCP\IAvatar {
-
+	/** @var Files\View  */
 	private $view;
 
 	/**
 	 * constructor
 	 * @param string $user user to do avatar-management with
-	*/
+	 * @throws \Exception In case the username is potentially dangerous
+	 */
 	public function __construct ($user) {
+		if(!Filesystem::isValidPath($user)) {
+			throw new \Exception('Username may not contain slashes');
+		}
 		$this->view = new \OC\Files\View('/'.$user);
 	}