diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2014-05-12 01:42:25 +0200 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2014-05-12 01:42:25 +0200 |
| commit | 2054837d017390604e9ac64ce6e7feedbea53a1c (patch) | |
| tree | 09640bd77add39a8fd2ce42f3a87e5757122d632 /lib/private/helper.php | |
| parent | 984b509c0b3477dcb09e1871ac55137b7a00efc0 (diff) | |
| parent | fd5b2d11d6a174f46df563917060e350f6df079a (diff) | |
| download | nextcloud-server-2054837d017390604e9ac64ce6e7feedbea53a1c.tar.gz nextcloud-server-2054837d017390604e9ac64ce6e7feedbea53a1c.zip | |
Merge pull request #8541 from owncloud/hardenIsSubDirectory
Harden issubdirectory()
Diffstat (limited to 'lib/private/helper.php')
| -rw-r--r-- | lib/private/helper.php | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/lib/private/helper.php b/lib/private/helper.php index 64da1f6fb12..6bc054bce86 100644 --- a/lib/private/helper.php +++ b/lib/private/helper.php @@ -732,10 +732,22 @@ class OC_Helper { * @param string $parent * @return bool */ - public static function issubdirectory($sub, $parent) { - if (strpos(realpath($sub), realpath($parent)) === 0) { + public static function isSubDirectory($sub, $parent) { + $realpathSub = realpath($sub); + $realpathParent = realpath($parent); + + // realpath() may return false in case the directory does not exist + // since we can not be sure how different PHP versions may behave here + // we do an additional check whether realpath returned false + if($realpathSub === false || $realpathParent === false) { + return false; + } + + // Check whether $sub is a subdirectory of $parent + if (strpos($realpathSub, $realpathParent) === 0) { return true; } + return false; } |