diff options
| author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2019-12-16 18:51:19 +0100 |
|---|---|---|
| committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2019-12-19 13:05:10 +0100 |
| commit | af91efd3150b11d714cacace2a2022df8be26fa2 (patch) | |
| tree | 436135aa68437c45d0c386fb12b0bd1e9307bc82 /lib | |
| parent | 79eae96f45dbc953b5bc5512c82f4747c5b69c09 (diff) | |
| download | nextcloud-server-af91efd3150b11d714cacace2a2022df8be26fa2.tar.gz nextcloud-server-af91efd3150b11d714cacace2a2022df8be26fa2.zip | |
when downloading from web, skip files that are not accessible
* avoids a 403, but enables download of resources that are not restricted
* single file downloads still cause 403
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Streamer.php | 12 | ||||
| -rw-r--r-- | lib/private/legacy/files.php | 8 |
2 files changed, 15 insertions, 5 deletions
diff --git a/lib/private/Streamer.php b/lib/private/Streamer.php index a25e3468593..23029d98912 100644 --- a/lib/private/Streamer.php +++ b/lib/private/Streamer.php @@ -113,12 +113,16 @@ class Streamer { $userFolder = \OC::$server->getRootFolder()->get(Filesystem::getRoot()); /** @var Folder $dirNode */ - $dirNode = $userFolder->get($rootDir); + $dirNode = $userFolder->get($dir); $files = $dirNode->getDirectoryListing(); foreach($files as $file) { if($file instanceof File) { - $fh = $file->fopen('r'); + try { + $fh = $file->fopen('r'); + } catch (NotPermittedException $e) { + continue; + } $this->addFileFromStream( $fh, $internalDir . $file->getName(), @@ -127,7 +131,9 @@ class Streamer { ); fclose($fh); } elseif ($file instanceof Folder) { - $this->addDirRecursive($file->getName(), $internalDir); + if($file->isReadable()) { + $this->addDirRecursive($dir . '/' . $file->getName(), $internalDir); + } } } } diff --git a/lib/private/legacy/files.php b/lib/private/legacy/files.php index 28396a9d076..ed26a125a6f 100644 --- a/lib/private/legacy/files.php +++ b/lib/private/legacy/files.php @@ -180,7 +180,11 @@ class OC_Files { $userFolder = \OC::$server->getRootFolder()->get(\OC\Files\Filesystem::getRoot()); $file = $userFolder->get($file); if($file instanceof \OC\Files\Node\File) { - $fh = $file->fopen('r'); + try { + $fh = $file->fopen('r'); + } catch (\OCP\Files\NotPermittedException $e) { + continue; + } $fileSize = $file->getSize(); $fileTime = $file->getMTime(); } else { @@ -309,7 +313,7 @@ class OC_Files { OC_Util::obEnd(); $view->lockFile($filename, ILockingProvider::LOCK_SHARED); - + $rangeArray = array(); if (isset($params['range']) && substr($params['range'], 0, 6) === 'bytes=') { |