diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2015-09-07 00:09:00 +0200 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2015-09-07 00:09:00 +0200 |
| commit | c57595bcb4709fd2fc827bce09801eccdf7ab56a (patch) | |
| tree | f6c9fb7eb40ab46f96aaa4106c0cbf07bfcdee69 /lib | |
| parent | 24f5f50b20c4f49bcd602a3c322f2ee2deb0f95b (diff) | |
| parent | 0fac2e3f3aaaeaddf431f7877ebddb6372a00a42 (diff) | |
| download | nextcloud-server-c57595bcb4709fd2fc827bce09801eccdf7ab56a.tar.gz nextcloud-server-c57595bcb4709fd2fc827bce09801eccdf7ab56a.zip | |
Merge pull request #18839 from owncloud/autoloader-supersecure
Restrict autoloaded paths to loaded apps (and other enhancements)
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/autoloader.php | 6 | ||||
| -rw-r--r-- | lib/base.php | 4 | ||||
| -rw-r--r-- | lib/private/app.php | 3 | ||||
| -rw-r--r-- | lib/private/backgroundjob/joblist.php | 22 | ||||
| -rw-r--r-- | lib/public/autoloadnotallowedexception.php | 36 |
5 files changed, 56 insertions, 15 deletions
diff --git a/lib/autoloader.php b/lib/autoloader.php index d7649781ea1..41a040b3f54 100644 --- a/lib/autoloader.php +++ b/lib/autoloader.php @@ -27,6 +27,8 @@ namespace OC; +use \OCP\AutoloadNotAllowedException; + class Autoloader { private $useGlobalClassPath = true; @@ -58,7 +60,7 @@ class Autoloader { * @param string $root */ public function addValidRoot($root) { - $this->validRoots[] = $root; + $this->validRoots[] = stream_resolve_include_path($root); } /** @@ -129,7 +131,7 @@ class Autoloader { return true; } } - throw new \Exception('Path not allowed: '. $fullPath); + throw new AutoloadNotAllowedException($fullPath); } /** diff --git a/lib/base.php b/lib/base.php index 63aad4518ab..a4b5e9e01bf 100644 --- a/lib/base.php +++ b/lib/base.php @@ -552,10 +552,6 @@ class OC { exit(); } - foreach(OC::$APPSROOTS as $appRoot) { - self::$loader->addValidRoot($appRoot['path']); - } - // setup the basic server self::$server = new \OC\Server(\OC::$WEBROOT); \OC::$server->getEventLogger()->log('autoloader', 'Autoloader', $loaderStart, $loaderEnd); diff --git a/lib/private/app.php b/lib/private/app.php index f1a1d27ae66..f6a81f9945f 100644 --- a/lib/private/app.php +++ b/lib/private/app.php @@ -105,7 +105,6 @@ class OC_App { ob_start(); foreach ($apps as $app) { if ((is_null($types) or self::isType($app, $types)) && !in_array($app, self::$loadedApps)) { - self::$loadedApps[] = $app; self::loadApp($app); } } @@ -122,6 +121,8 @@ class OC_App { * @throws \OC\NeedsUpdateException */ public static function loadApp($app, $checkUpgrade = true) { + self::$loadedApps[] = $app; + \OC::$loader->addValidRoot(self::getAppPath($app)); if (is_file(self::getAppPath($app) . '/appinfo/app.php')) { \OC::$server->getEventLogger()->start('load_app_' . $app, 'Load app: ' . $app); if ($checkUpgrade and self::shouldUpgrade($app)) { diff --git a/lib/private/backgroundjob/joblist.php b/lib/private/backgroundjob/joblist.php index f297bccbc7d..deadadfb77e 100644 --- a/lib/private/backgroundjob/joblist.php +++ b/lib/private/backgroundjob/joblist.php @@ -26,6 +26,7 @@ namespace OC\BackgroundJob; use OCP\BackgroundJob\IJobList; +use OCP\AutoloadNotAllowedException; class JobList implements IJobList { /** @@ -185,15 +186,20 @@ class JobList implements IJobList { /** * @var Job $job */ - if (!class_exists($class)) { - // job from disabled app or old version of an app, no need to do anything - return null; + try { + if (!class_exists($class)) { + // job from disabled app or old version of an app, no need to do anything + return null; + } + $job = new $class(); + $job->setId($row['id']); + $job->setLastRun($row['last_run']); + $job->setArgument(json_decode($row['argument'], true)); + return $job; + } catch (AutoloadNotAllowedException $e) { + // job is from a disabled app, ignore } - $job = new $class(); - $job->setId($row['id']); - $job->setLastRun($row['last_run']); - $job->setArgument(json_decode($row['argument'], true)); - return $job; + return null; } /** diff --git a/lib/public/autoloadnotallowedexception.php b/lib/public/autoloadnotallowedexception.php new file mode 100644 index 00000000000..edb7121c065 --- /dev/null +++ b/lib/public/autoloadnotallowedexception.php @@ -0,0 +1,36 @@ +<?php +/** + * @author Robin McCorkell <rmccorkell@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + */ + +namespace OCP; + +/** + * Exception for when a not allowed path is attempted to be autoloaded + * @since 8.2.0 + */ +class AutoloadNotAllowedException extends \DomainException { + /** + * @param string $path + * @since 8.2.0 + */ + public function __construct($path) { + parent::__construct('Autoload path not allowed: '.$path); + } +} + |