summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorThomas Müller <thomas.mueller@tmit.eu>2015-02-18 17:44:13 +0100
committerThomas Müller <thomas.mueller@tmit.eu>2015-03-09 10:38:37 +0100
commit4bac595068c813c56d8d5e580e560527ba80194d (patch)
treee7584ca8ff57a9b037388d428e47f390bc1a7fcc /lib
parent348fe105b13717757bee4150caa9d3546d6a7666 (diff)
downloadnextcloud-server-4bac595068c813c56d8d5e580e560527ba80194d.tar.gz
nextcloud-server-4bac595068c813c56d8d5e580e560527ba80194d.zip
adding storage specific filename verification - refs #13640
Diffstat (limited to 'lib')
-rw-r--r--lib/private/connector/sabre/exception/invalidpath.php57
-rw-r--r--lib/private/connector/sabre/file.php10
-rw-r--r--lib/private/connector/sabre/node.php14
-rw-r--r--lib/private/connector/sabre/objecttree.php7
-rw-r--r--lib/private/files/storage/common.php67
-rw-r--r--lib/private/files/storage/wrapper/wrapper.php12
-rw-r--r--lib/private/files/view.php37
-rw-r--r--lib/public/files/storage.php9
8 files changed, 191 insertions, 22 deletions
diff --git a/lib/private/connector/sabre/exception/invalidpath.php b/lib/private/connector/sabre/exception/invalidpath.php
new file mode 100644
index 00000000000..18285994bcc
--- /dev/null
+++ b/lib/private/connector/sabre/exception/invalidpath.php
@@ -0,0 +1,57 @@
+<?php
+
+/**
+ * Copyright (c) 2015 Thomas Müller <deepdiver@owncloud.com>
+ * This file is licensed under the Affero General Public License version 3 or
+ * later.
+ * See the COPYING-README file. */
+
+class OC_Connector_Sabre_Exception_InvalidPath extends \Sabre\DAV\Exception {
+
+ /**
+ * @var bool
+ */
+ private $retry;
+
+ /**
+ * @param string $message
+ * @param bool $retry
+ */
+ public function __construct($message, $retry = false) {
+ parent::__construct($message);
+ $this->retry = $retry;
+ }
+
+ /**
+ * Returns the HTTP status code for this exception
+ *
+ * @return int
+ */
+ public function getHTTPCode() {
+
+ return 400;
+
+ }
+
+ /**
+ * This method allows the exception to include additional information into the WebDAV error response
+ *
+ * @param \Sabre\DAV\Server $server
+ * @param \DOMElement $errorNode
+ * @return void
+ */
+ public function serialize(\Sabre\DAV\Server $server,\DOMElement $errorNode) {
+
+ // set owncloud namespace
+ $errorNode->setAttribute('xmlns:o', OC_Connector_Sabre_FilesPlugin::NS_OWNCLOUD);
+
+ // adding the retry node
+ $error = $errorNode->ownerDocument->createElementNS('o:','o:retry', var_export($this->retry, true));
+ $errorNode->appendChild($error);
+
+ // adding the message node
+ $error = $errorNode->ownerDocument->createElementNS('o:','o:reason', $this->getMessage());
+ $errorNode->appendChild($error);
+ }
+
+}
diff --git a/lib/private/connector/sabre/file.php b/lib/private/connector/sabre/file.php
index 7ef6eea768e..8f0642d794a 100644
--- a/lib/private/connector/sabre/file.php
+++ b/lib/private/connector/sabre/file.php
@@ -66,17 +66,15 @@ class File extends \OC\Connector\Sabre\Node implements \Sabre\DAV\IFile {
throw new \Sabre\DAV\Exception\ServiceUnavailable("Encryption is disabled");
}
- $fileName = basename($this->info->getPath());
- if (!\OCP\Util::isValidFileName($fileName)) {
- throw new \Sabre\DAV\Exception\BadRequest();
- }
+ // verify path of the target
+ $this->verifyPath();
// chunked handling
if (isset($_SERVER['HTTP_OC_CHUNKED'])) {
return $this->createFileChunked($data);
}
- list($storage,) = $this->fileView->resolvePath($this->path);
+ list($storage) = $this->fileView->resolvePath($this->path);
$needsPartFile = $this->needsPartFile($storage) && (strlen($this->path) > 1);
if ($needsPartFile) {
@@ -329,5 +327,5 @@ class File extends \OC\Connector\Sabre\Node implements \Sabre\DAV\IFile {
// and/or add method on Storage called "needsPartFile()"
return !$storage->instanceOfStorage('OCA\Files_Sharing\External\Storage') &&
!$storage->instanceOfStorage('OC\Files\Storage\OwnCloud');
- }
+ }
}
diff --git a/lib/private/connector/sabre/node.php b/lib/private/connector/sabre/node.php
index 8fee6a4eb4e..775e18657f1 100644
--- a/lib/private/connector/sabre/node.php
+++ b/lib/private/connector/sabre/node.php
@@ -103,9 +103,8 @@ abstract class Node implements \Sabre\DAV\INode {
list($parentPath,) = \Sabre\HTTP\URLUtil::splitPath($this->path);
list(, $newName) = \Sabre\HTTP\URLUtil::splitPath($name);
- if (!\OCP\Util::isValidFileName($newName)) {
- throw new \Sabre\DAV\Exception\BadRequest();
- }
+ // verify path of the target
+ $this->verifyPath();
$newPath = $parentPath . '/' . $newName;
@@ -230,4 +229,13 @@ abstract class Node implements \Sabre\DAV\INode {
}
return $p;
}
+
+ protected function verifyPath() {
+ try {
+ $fileName = basename($this->info->getPath());
+ $this->fileView->verifyPath($this->path, $fileName);
+ } catch (\OCP\Files\InvalidPathException $ex) {
+ throw new OC_Connector_Sabre_Exception_InvalidPath($ex->getMessage());
+ }
+ }
}
diff --git a/lib/private/connector/sabre/objecttree.php b/lib/private/connector/sabre/objecttree.php
index 5edd949eeaf..04ca1d7104d 100644
--- a/lib/private/connector/sabre/objecttree.php
+++ b/lib/private/connector/sabre/objecttree.php
@@ -11,6 +11,7 @@ namespace OC\Connector\Sabre;
use OC\Files\FileInfo;
use OC\Files\Filesystem;
use OC\Files\Mount\MoveableMount;
+use OC_Connector_Sabre_Exception_InvalidPath;
use OCP\Files\StorageInvalidException;
use OCP\Files\StorageNotAvailableException;
@@ -185,8 +186,10 @@ class ObjectTree extends \Sabre\DAV\Tree {
}
$fileName = basename($destinationPath);
- if (!\OCP\Util::isValidFileName($fileName)) {
- throw new \Sabre\DAV\Exception\BadRequest();
+ try {
+ $this->fileView->verifyPath($destinationDir, $fileName);
+ } catch (\OCP\Files\InvalidPathException $ex) {
+ throw new OC_Connector_Sabre_Exception_InvalidPath($ex->getMessage());
}
$renameOkay = $this->fileView->rename($sourcePath, $destinationPath);
diff --git a/lib/private/files/storage/common.php b/lib/private/files/storage/common.php
index edd756cbf1e..a9ba034f4ee 100644
--- a/lib/private/files/storage/common.php
+++ b/lib/private/files/storage/common.php
@@ -8,8 +8,12 @@
namespace OC\Files\Storage;
+use OC\Files\Cache\Cache;
+use OC\Files\Cache\Scanner;
+use OC\Files\Cache\Storage;
use OC\Files\Filesystem;
use OC\Files\Cache\Watcher;
+use OCP\Files\InvalidPathException;
/**
* Storage backend class for providing common filesystem operation methods
@@ -25,7 +29,6 @@ use OC\Files\Cache\Watcher;
abstract class Common implements \OC\Files\Storage\Storage {
protected $cache;
protected $scanner;
- protected $permissioncache;
protected $watcher;
protected $storageCache;
@@ -303,7 +306,7 @@ abstract class Common implements \OC\Files\Storage\Storage {
$storage = $this;
}
if (!isset($this->cache)) {
- $this->cache = new \OC\Files\Cache\Cache($storage);
+ $this->cache = new Cache($storage);
}
return $this->cache;
}
@@ -313,7 +316,7 @@ abstract class Common implements \OC\Files\Storage\Storage {
$storage = $this;
}
if (!isset($this->scanner)) {
- $this->scanner = new \OC\Files\Cache\Scanner($storage);
+ $this->scanner = new Scanner($storage);
}
return $this->scanner;
}
@@ -323,7 +326,7 @@ abstract class Common implements \OC\Files\Storage\Storage {
$storage = $this;
}
if (!isset($this->watcher)) {
- $this->watcher = new \OC\Files\Cache\Watcher($storage);
+ $this->watcher = new Watcher($storage);
$this->watcher->setPolicy(\OC::$server->getConfig()->getSystemValue('filesystem_check_changes', Watcher::CHECK_ONCE));
}
return $this->watcher;
@@ -334,7 +337,7 @@ abstract class Common implements \OC\Files\Storage\Storage {
$storage = $this;
}
if (!isset($this->storageCache)) {
- $this->storageCache = new \OC\Files\Cache\Storage($storage);
+ $this->storageCache = new Storage($storage);
}
return $this->storageCache;
}
@@ -451,4 +454,58 @@ abstract class Common implements \OC\Files\Storage\Storage {
return [];
}
+ /**
+ * @inheritdoc
+ */
+ public function verifyPath($path, $fileName) {
+ // NOTE: $path will remain unverified for now
+ if (\OC_Util::runningOnWindows()) {
+ $this->verifyWindowsPath($fileName);
+ } else {
+ $this->verifyPosixPath($fileName);
+ }
+ }
+
+ /**
+ * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx
+ * @param string $fileName
+ * @throws InvalidPathException
+ */
+ private function verifyWindowsPath($fileName) {
+ $fileName = trim($fileName);
+ $this->scanForInvalidCharacters($fileName, "\\/<>:\"|?*");
+ $reservedNames = ['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9'];
+ if (in_array(strtoupper($fileName), $reservedNames)) {
+ throw new InvalidPathException("File name is a reserved word");
+ }
+ }
+
+ /**
+ * @param string $fileName
+ * @throws InvalidPathException
+ */
+ private function verifyPosixPath($fileName) {
+ $fileName = trim($fileName);
+ $this->scanForInvalidCharacters($fileName, "\\/");
+ $reservedNames = ['*'];
+ if (in_array($fileName, $reservedNames)) {
+ throw new InvalidPathException("File name is a reserved word");
+ }
+ }
+
+ /**
+ * @param $fileName
+ * @throws InvalidPathException
+ */
+ private function scanForInvalidCharacters($fileName, $invalidChars) {
+ foreach (str_split($fileName) as $char) {
+ if (strpos($invalidChars, $char) !== false) {
+ throw new InvalidPathException('File name contains at least one invalid characters');
+ }
+ if (ord($char) >= 0 && ord($char) <= 31) {
+ throw new InvalidPathException('File name contains at least one invalid characters');
+ }
+ }
+ }
+
}
diff --git a/lib/private/files/storage/wrapper/wrapper.php b/lib/private/files/storage/wrapper/wrapper.php
index ea9de287361..9208a7f7774 100644
--- a/lib/private/files/storage/wrapper/wrapper.php
+++ b/lib/private/files/storage/wrapper/wrapper.php
@@ -8,6 +8,8 @@
namespace OC\Files\Storage\Wrapper;
+use OCP\Files\InvalidPathException;
+
class Wrapper implements \OC\Files\Storage\Storage {
/**
* @var \OC\Files\Storage\Storage $storage
@@ -477,4 +479,14 @@ class Wrapper implements \OC\Files\Storage\Storage {
public function getDirectDownload($path) {
return $this->storage->getDirectDownload($path);
}
+
+ /**
+ * @param string $path the path of the target folder
+ * @param string $fileName the name of the file itself
+ * @return void
+ * @throws InvalidPathException
+ */
+ public function verifyPath($path, $fileName) {
+ $this->storage->verifyPath($path, $fileName);
+ }
}
diff --git a/lib/private/files/view.php b/lib/private/files/view.php
index 4f9a4001d69..17fad72e5e7 100644
--- a/lib/private/files/view.php
+++ b/lib/private/files/view.php
@@ -11,6 +11,7 @@ namespace OC\Files;
use OC\Files\Cache\Updater;
use OC\Files\Mount\MoveableMount;
+use OCP\Files\InvalidPathException;
/**
* Class to provide access to ownCloud filesystem via a "view", and methods for
@@ -29,11 +30,10 @@ use OC\Files\Mount\MoveableMount;
* \OC\Files\Storage\Storage object
*/
class View {
+ /** @var string */
private $fakeRoot = '';
- /**
- * @var \OC\Files\Cache\Updater
- */
+ /** @var \OC\Files\Cache\Updater */
protected $updater;
/**
@@ -116,7 +116,7 @@ class View {
* get the mountpoint of the storage object for a path
* ( note: because a storage is not always mounted inside the fakeroot, the
* returned mountpoint is relative to the absolute root of the filesystem
- * and doesn't take the chroot into account )
+ * and does not take the chroot into account )
*
* @param string $path
* @return string
@@ -129,7 +129,7 @@ class View {
* get the mountpoint of the storage object for a path
* ( note: because a storage is not always mounted inside the fakeroot, the
* returned mountpoint is relative to the absolute root of the filesystem
- * and doesn't take the chroot into account )
+ * and does not take the chroot into account )
*
* @param string $path
* @return \OCP\Files\Mount\IMountPoint
@@ -1532,7 +1532,32 @@ class View {
/**
* @return Updater
*/
- public function getUpdater(){
+ public function getUpdater() {
return $this->updater;
}
+
+ public function verifyPath($path, $fileName) {
+
+ // verify empty and dot files
+ $trimmed = trim($fileName);
+ if ($trimmed === '') {
+ throw new InvalidPathException('Empty filename is not allowed');
+ }
+ if ($trimmed === '.' || $trimmed === '..') {
+ throw new InvalidPathException('Dot files are not allowed');
+ }
+
+ // verify database - e.g. mysql only 3-byte chars
+ if (preg_match('%^(?:
+ \xF0[\x90-\xBF][\x80-\xBF]{2} # planes 1-3
+ | [\xF1-\xF3][\x80-\xBF]{3} # planes 4-15
+ | \xF4[\x80-\x8F][\x80-\xBF]{2} # plane 16
+)*$%xs', $fileName)) {
+ throw new InvalidPathException('4-byte characters are not supported in file names');
+ }
+
+ /** @type \OCP\Files\Storage $storage */
+ list($storage, $internalPath) = $this->resolvePath($path);
+ $storage->verifyPath($internalPath, $fileName);
+ }
}
diff --git a/lib/public/files/storage.php b/lib/public/files/storage.php
index 3e6559c28f7..388ba5fa6ac 100644
--- a/lib/public/files/storage.php
+++ b/lib/public/files/storage.php
@@ -28,6 +28,7 @@
// use OCP namespace for all classes that are considered public.
// This means that they should be used by apps instead of the internal ownCloud classes
namespace OCP\Files;
+use OCP\Files\InvalidPathException;
/**
* Provide a common interface to all different storage options
@@ -345,4 +346,12 @@ interface Storage {
* @return array|false
*/
public function getDirectDownload($path);
+
+ /**
+ * @param string $path the path of the target folder
+ * @param string $fileName the name of the file itself
+ * @return void
+ * @throws InvalidPathException
+ */
+ public function verifyPath($path, $fileName);
}