diff options
author | Thomas Müller <thomas.mueller@tmit.eu> | 2015-02-18 17:44:13 +0100 |
---|---|---|
committer | Thomas Müller <thomas.mueller@tmit.eu> | 2015-03-09 10:38:37 +0100 |
commit | 4bac595068c813c56d8d5e580e560527ba80194d (patch) | |
tree | e7584ca8ff57a9b037388d428e47f390bc1a7fcc /lib | |
parent | 348fe105b13717757bee4150caa9d3546d6a7666 (diff) | |
download | nextcloud-server-4bac595068c813c56d8d5e580e560527ba80194d.tar.gz nextcloud-server-4bac595068c813c56d8d5e580e560527ba80194d.zip |
adding storage specific filename verification - refs #13640
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private/connector/sabre/exception/invalidpath.php | 57 | ||||
-rw-r--r-- | lib/private/connector/sabre/file.php | 10 | ||||
-rw-r--r-- | lib/private/connector/sabre/node.php | 14 | ||||
-rw-r--r-- | lib/private/connector/sabre/objecttree.php | 7 | ||||
-rw-r--r-- | lib/private/files/storage/common.php | 67 | ||||
-rw-r--r-- | lib/private/files/storage/wrapper/wrapper.php | 12 | ||||
-rw-r--r-- | lib/private/files/view.php | 37 | ||||
-rw-r--r-- | lib/public/files/storage.php | 9 |
8 files changed, 191 insertions, 22 deletions
diff --git a/lib/private/connector/sabre/exception/invalidpath.php b/lib/private/connector/sabre/exception/invalidpath.php new file mode 100644 index 00000000000..18285994bcc --- /dev/null +++ b/lib/private/connector/sabre/exception/invalidpath.php @@ -0,0 +1,57 @@ +<?php + +/** + * Copyright (c) 2015 Thomas Müller <deepdiver@owncloud.com> + * This file is licensed under the Affero General Public License version 3 or + * later. + * See the COPYING-README file. */ + +class OC_Connector_Sabre_Exception_InvalidPath extends \Sabre\DAV\Exception { + + /** + * @var bool + */ + private $retry; + + /** + * @param string $message + * @param bool $retry + */ + public function __construct($message, $retry = false) { + parent::__construct($message); + $this->retry = $retry; + } + + /** + * Returns the HTTP status code for this exception + * + * @return int + */ + public function getHTTPCode() { + + return 400; + + } + + /** + * This method allows the exception to include additional information into the WebDAV error response + * + * @param \Sabre\DAV\Server $server + * @param \DOMElement $errorNode + * @return void + */ + public function serialize(\Sabre\DAV\Server $server,\DOMElement $errorNode) { + + // set owncloud namespace + $errorNode->setAttribute('xmlns:o', OC_Connector_Sabre_FilesPlugin::NS_OWNCLOUD); + + // adding the retry node + $error = $errorNode->ownerDocument->createElementNS('o:','o:retry', var_export($this->retry, true)); + $errorNode->appendChild($error); + + // adding the message node + $error = $errorNode->ownerDocument->createElementNS('o:','o:reason', $this->getMessage()); + $errorNode->appendChild($error); + } + +} diff --git a/lib/private/connector/sabre/file.php b/lib/private/connector/sabre/file.php index 7ef6eea768e..8f0642d794a 100644 --- a/lib/private/connector/sabre/file.php +++ b/lib/private/connector/sabre/file.php @@ -66,17 +66,15 @@ class File extends \OC\Connector\Sabre\Node implements \Sabre\DAV\IFile { throw new \Sabre\DAV\Exception\ServiceUnavailable("Encryption is disabled"); } - $fileName = basename($this->info->getPath()); - if (!\OCP\Util::isValidFileName($fileName)) { - throw new \Sabre\DAV\Exception\BadRequest(); - } + // verify path of the target + $this->verifyPath(); // chunked handling if (isset($_SERVER['HTTP_OC_CHUNKED'])) { return $this->createFileChunked($data); } - list($storage,) = $this->fileView->resolvePath($this->path); + list($storage) = $this->fileView->resolvePath($this->path); $needsPartFile = $this->needsPartFile($storage) && (strlen($this->path) > 1); if ($needsPartFile) { @@ -329,5 +327,5 @@ class File extends \OC\Connector\Sabre\Node implements \Sabre\DAV\IFile { // and/or add method on Storage called "needsPartFile()" return !$storage->instanceOfStorage('OCA\Files_Sharing\External\Storage') && !$storage->instanceOfStorage('OC\Files\Storage\OwnCloud'); - } + } } diff --git a/lib/private/connector/sabre/node.php b/lib/private/connector/sabre/node.php index 8fee6a4eb4e..775e18657f1 100644 --- a/lib/private/connector/sabre/node.php +++ b/lib/private/connector/sabre/node.php @@ -103,9 +103,8 @@ abstract class Node implements \Sabre\DAV\INode { list($parentPath,) = \Sabre\HTTP\URLUtil::splitPath($this->path); list(, $newName) = \Sabre\HTTP\URLUtil::splitPath($name); - if (!\OCP\Util::isValidFileName($newName)) { - throw new \Sabre\DAV\Exception\BadRequest(); - } + // verify path of the target + $this->verifyPath(); $newPath = $parentPath . '/' . $newName; @@ -230,4 +229,13 @@ abstract class Node implements \Sabre\DAV\INode { } return $p; } + + protected function verifyPath() { + try { + $fileName = basename($this->info->getPath()); + $this->fileView->verifyPath($this->path, $fileName); + } catch (\OCP\Files\InvalidPathException $ex) { + throw new OC_Connector_Sabre_Exception_InvalidPath($ex->getMessage()); + } + } } diff --git a/lib/private/connector/sabre/objecttree.php b/lib/private/connector/sabre/objecttree.php index 5edd949eeaf..04ca1d7104d 100644 --- a/lib/private/connector/sabre/objecttree.php +++ b/lib/private/connector/sabre/objecttree.php @@ -11,6 +11,7 @@ namespace OC\Connector\Sabre; use OC\Files\FileInfo; use OC\Files\Filesystem; use OC\Files\Mount\MoveableMount; +use OC_Connector_Sabre_Exception_InvalidPath; use OCP\Files\StorageInvalidException; use OCP\Files\StorageNotAvailableException; @@ -185,8 +186,10 @@ class ObjectTree extends \Sabre\DAV\Tree { } $fileName = basename($destinationPath); - if (!\OCP\Util::isValidFileName($fileName)) { - throw new \Sabre\DAV\Exception\BadRequest(); + try { + $this->fileView->verifyPath($destinationDir, $fileName); + } catch (\OCP\Files\InvalidPathException $ex) { + throw new OC_Connector_Sabre_Exception_InvalidPath($ex->getMessage()); } $renameOkay = $this->fileView->rename($sourcePath, $destinationPath); diff --git a/lib/private/files/storage/common.php b/lib/private/files/storage/common.php index edd756cbf1e..a9ba034f4ee 100644 --- a/lib/private/files/storage/common.php +++ b/lib/private/files/storage/common.php @@ -8,8 +8,12 @@ namespace OC\Files\Storage; +use OC\Files\Cache\Cache; +use OC\Files\Cache\Scanner; +use OC\Files\Cache\Storage; use OC\Files\Filesystem; use OC\Files\Cache\Watcher; +use OCP\Files\InvalidPathException; /** * Storage backend class for providing common filesystem operation methods @@ -25,7 +29,6 @@ use OC\Files\Cache\Watcher; abstract class Common implements \OC\Files\Storage\Storage { protected $cache; protected $scanner; - protected $permissioncache; protected $watcher; protected $storageCache; @@ -303,7 +306,7 @@ abstract class Common implements \OC\Files\Storage\Storage { $storage = $this; } if (!isset($this->cache)) { - $this->cache = new \OC\Files\Cache\Cache($storage); + $this->cache = new Cache($storage); } return $this->cache; } @@ -313,7 +316,7 @@ abstract class Common implements \OC\Files\Storage\Storage { $storage = $this; } if (!isset($this->scanner)) { - $this->scanner = new \OC\Files\Cache\Scanner($storage); + $this->scanner = new Scanner($storage); } return $this->scanner; } @@ -323,7 +326,7 @@ abstract class Common implements \OC\Files\Storage\Storage { $storage = $this; } if (!isset($this->watcher)) { - $this->watcher = new \OC\Files\Cache\Watcher($storage); + $this->watcher = new Watcher($storage); $this->watcher->setPolicy(\OC::$server->getConfig()->getSystemValue('filesystem_check_changes', Watcher::CHECK_ONCE)); } return $this->watcher; @@ -334,7 +337,7 @@ abstract class Common implements \OC\Files\Storage\Storage { $storage = $this; } if (!isset($this->storageCache)) { - $this->storageCache = new \OC\Files\Cache\Storage($storage); + $this->storageCache = new Storage($storage); } return $this->storageCache; } @@ -451,4 +454,58 @@ abstract class Common implements \OC\Files\Storage\Storage { return []; } + /** + * @inheritdoc + */ + public function verifyPath($path, $fileName) { + // NOTE: $path will remain unverified for now + if (\OC_Util::runningOnWindows()) { + $this->verifyWindowsPath($fileName); + } else { + $this->verifyPosixPath($fileName); + } + } + + /** + * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx + * @param string $fileName + * @throws InvalidPathException + */ + private function verifyWindowsPath($fileName) { + $fileName = trim($fileName); + $this->scanForInvalidCharacters($fileName, "\\/<>:\"|?*"); + $reservedNames = ['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']; + if (in_array(strtoupper($fileName), $reservedNames)) { + throw new InvalidPathException("File name is a reserved word"); + } + } + + /** + * @param string $fileName + * @throws InvalidPathException + */ + private function verifyPosixPath($fileName) { + $fileName = trim($fileName); + $this->scanForInvalidCharacters($fileName, "\\/"); + $reservedNames = ['*']; + if (in_array($fileName, $reservedNames)) { + throw new InvalidPathException("File name is a reserved word"); + } + } + + /** + * @param $fileName + * @throws InvalidPathException + */ + private function scanForInvalidCharacters($fileName, $invalidChars) { + foreach (str_split($fileName) as $char) { + if (strpos($invalidChars, $char) !== false) { + throw new InvalidPathException('File name contains at least one invalid characters'); + } + if (ord($char) >= 0 && ord($char) <= 31) { + throw new InvalidPathException('File name contains at least one invalid characters'); + } + } + } + } diff --git a/lib/private/files/storage/wrapper/wrapper.php b/lib/private/files/storage/wrapper/wrapper.php index ea9de287361..9208a7f7774 100644 --- a/lib/private/files/storage/wrapper/wrapper.php +++ b/lib/private/files/storage/wrapper/wrapper.php @@ -8,6 +8,8 @@ namespace OC\Files\Storage\Wrapper; +use OCP\Files\InvalidPathException; + class Wrapper implements \OC\Files\Storage\Storage { /** * @var \OC\Files\Storage\Storage $storage @@ -477,4 +479,14 @@ class Wrapper implements \OC\Files\Storage\Storage { public function getDirectDownload($path) { return $this->storage->getDirectDownload($path); } + + /** + * @param string $path the path of the target folder + * @param string $fileName the name of the file itself + * @return void + * @throws InvalidPathException + */ + public function verifyPath($path, $fileName) { + $this->storage->verifyPath($path, $fileName); + } } diff --git a/lib/private/files/view.php b/lib/private/files/view.php index 4f9a4001d69..17fad72e5e7 100644 --- a/lib/private/files/view.php +++ b/lib/private/files/view.php @@ -11,6 +11,7 @@ namespace OC\Files; use OC\Files\Cache\Updater; use OC\Files\Mount\MoveableMount; +use OCP\Files\InvalidPathException; /** * Class to provide access to ownCloud filesystem via a "view", and methods for @@ -29,11 +30,10 @@ use OC\Files\Mount\MoveableMount; * \OC\Files\Storage\Storage object */ class View { + /** @var string */ private $fakeRoot = ''; - /** - * @var \OC\Files\Cache\Updater - */ + /** @var \OC\Files\Cache\Updater */ protected $updater; /** @@ -116,7 +116,7 @@ class View { * get the mountpoint of the storage object for a path * ( note: because a storage is not always mounted inside the fakeroot, the * returned mountpoint is relative to the absolute root of the filesystem - * and doesn't take the chroot into account ) + * and does not take the chroot into account ) * * @param string $path * @return string @@ -129,7 +129,7 @@ class View { * get the mountpoint of the storage object for a path * ( note: because a storage is not always mounted inside the fakeroot, the * returned mountpoint is relative to the absolute root of the filesystem - * and doesn't take the chroot into account ) + * and does not take the chroot into account ) * * @param string $path * @return \OCP\Files\Mount\IMountPoint @@ -1532,7 +1532,32 @@ class View { /** * @return Updater */ - public function getUpdater(){ + public function getUpdater() { return $this->updater; } + + public function verifyPath($path, $fileName) { + + // verify empty and dot files + $trimmed = trim($fileName); + if ($trimmed === '') { + throw new InvalidPathException('Empty filename is not allowed'); + } + if ($trimmed === '.' || $trimmed === '..') { + throw new InvalidPathException('Dot files are not allowed'); + } + + // verify database - e.g. mysql only 3-byte chars + if (preg_match('%^(?: + \xF0[\x90-\xBF][\x80-\xBF]{2} # planes 1-3 + | [\xF1-\xF3][\x80-\xBF]{3} # planes 4-15 + | \xF4[\x80-\x8F][\x80-\xBF]{2} # plane 16 +)*$%xs', $fileName)) { + throw new InvalidPathException('4-byte characters are not supported in file names'); + } + + /** @type \OCP\Files\Storage $storage */ + list($storage, $internalPath) = $this->resolvePath($path); + $storage->verifyPath($internalPath, $fileName); + } } diff --git a/lib/public/files/storage.php b/lib/public/files/storage.php index 3e6559c28f7..388ba5fa6ac 100644 --- a/lib/public/files/storage.php +++ b/lib/public/files/storage.php @@ -28,6 +28,7 @@ // use OCP namespace for all classes that are considered public. // This means that they should be used by apps instead of the internal ownCloud classes namespace OCP\Files; +use OCP\Files\InvalidPathException; /** * Provide a common interface to all different storage options @@ -345,4 +346,12 @@ interface Storage { * @return array|false */ public function getDirectDownload($path); + + /** + * @param string $path the path of the target folder + * @param string $fileName the name of the file itself + * @return void + * @throws InvalidPathException + */ + public function verifyPath($path, $fileName); } |