diff options
| author | Robin Appelman <icewind@owncloud.com> | 2015-08-18 15:35:02 +0200 |
|---|---|---|
| committer | Robin Appelman <icewind@owncloud.com> | 2015-09-01 15:03:28 +0200 |
| commit | e9b91b1798fde385aafc0512865b1c11b0249069 (patch) | |
| tree | e8030335454fcfc4f3720af6a16f81a7531614df /lib | |
| parent | 0d4562c938e5dd2bb6b3a0d7fd9a446464cbcfe7 (diff) | |
| download | nextcloud-server-e9b91b1798fde385aafc0512865b1c11b0249069.tar.gz nextcloud-server-e9b91b1798fde385aafc0512865b1c11b0249069.zip | |
verify the path in the autoloader
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/autoloader.php | 33 | ||||
| -rw-r--r-- | lib/base.php | 19 |
2 files changed, 47 insertions, 5 deletions
diff --git a/lib/autoloader.php b/lib/autoloader.php index 23285f61e73..010318a65be 100644 --- a/lib/autoloader.php +++ b/lib/autoloader.php @@ -34,13 +34,34 @@ class Autoloader { private $classPaths = array(); + private $validRoots = []; + /** * Optional low-latency memory cache for class to path mapping. + * * @var \OC\Memcache\Cache */ protected $memoryCache; /** + * Autoloader constructor. + * + * @param string[] $validRoots + */ + public function __construct(array $validRoots) { + $this->validRoots = $validRoots; + } + + /** + * Add a path to the list of valid php roots for auto loading + * + * @param string $root + */ + public function addValidRoot($root) { + $this->validRoots[] = $root; + } + + /** * disable the usage of the global classpath \OC::$CLASSPATH */ public function disableGlobalClassPath() { @@ -102,6 +123,15 @@ class Autoloader { return $paths; } + protected function isValidPath($fullPath) { + foreach ($this->validRoots as $root) { + if (substr($fullPath, 0, strlen($root) + 1) === $root . '/') { + return true; + } + } + throw new \Exception('Path not allowed'); + } + /** * Load the specified class * @@ -119,7 +149,7 @@ class Autoloader { $pathsToRequire = array(); foreach ($this->findClass($class) as $path) { $fullPath = stream_resolve_include_path($path); - if ($fullPath) { + if ($fullPath && $this->isValidPath($fullPath)) { $pathsToRequire[] = $fullPath; } } @@ -138,6 +168,7 @@ class Autoloader { /** * Sets the optional low-latency cache for class to path mapping. + * * @param \OC\Memcache\Cache $memoryCache Instance of memory cache. */ public function setMemoryCache(\OC\Memcache\Cache $memoryCache = null) { diff --git a/lib/base.php b/lib/base.php index aceac2e53c3..9cf0228bbd9 100644 --- a/lib/base.php +++ b/lib/base.php @@ -115,9 +115,6 @@ class OC { * the app path list is empty or contains an invalid path */ public static function initPaths() { - // calculate the root directories - OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4)); - // ensure we can find OC_Config set_include_path( OC::$SERVERROOT . '/lib' . PATH_SEPARATOR . @@ -519,10 +516,20 @@ class OC { } public static function init() { + // calculate the root directories + OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4)); + // register autoloader $loaderStart = microtime(true); require_once __DIR__ . '/autoloader.php'; - self::$loader = new \OC\Autoloader(); + self::$loader = new \OC\Autoloader([ + OC::$SERVERROOT . '/lib', + OC::$SERVERROOT . '/core', + OC::$SERVERROOT . '/settings', + OC::$SERVERROOT . '/ocs', + OC::$SERVERROOT . '/ocs-provider', + OC::$SERVERROOT . '/3rdparty' + ]); spl_autoload_register(array(self::$loader, 'load')); $loaderEnd = microtime(true); @@ -545,6 +552,10 @@ class OC { exit(); } + foreach(OC::$APPSROOTS as $appRoot) { + self::$loader->addValidRoot($appRoot['path']); + } + // setup the basic server self::$server = new \OC\Server(\OC::$WEBROOT); \OC::$server->getEventLogger()->log('autoloader', 'Autoloader', $loaderStart, $loaderEnd); |