diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2014-06-14 11:05:12 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2014-06-16 20:33:04 +0200 |
| commit | f2fc214ce0455ce9a9def36bd09285e82b5eabec (patch) | |
| tree | ad7dadfd6a39a6fed4df59c4fff17b734f432925 /lib | |
| parent | c42d087fc5f13de7c388be6ff4edd18f3ff8fce2 (diff) | |
| download | nextcloud-server-f2fc214ce0455ce9a9def36bd09285e82b5eabec.tar.gz nextcloud-server-f2fc214ce0455ce9a9def36bd09285e82b5eabec.zip | |
Add deprecation notice to load* functions
This functions are deprecated and/or removed since ownCloud 7. Additionally a issubdirectory check has been added here to prevent developers to use this function in a potentially insecure way.
Port of https://github.com/owncloud/core/pull/9033
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/base.php | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/base.php b/lib/base.php index 5871ecba839..dcaf3725fcb 100644 --- a/lib/base.php +++ b/lib/base.php @@ -785,14 +785,18 @@ class OC { * Load a PHP file belonging to the specified application * @param array $param The application and file to load * @return bool Whether the file has been found (will return 404 and false if not) + * @deprecated This function will be removed in ownCloud 8 - use proper routing instead + * @param $param + * @return bool Whether the file has been found (will return 404 and false if not) */ public static function loadAppScriptFile($param) { OC_App::loadApps(); $app = $param['app']; $file = $param['file']; $app_path = OC_App::getAppPath($app); - if (OC_App::isEnabled($app) && $app_path !== false) { - $file = $app_path . '/' . $file; + $file = $app_path . '/' . $file; + + if (OC_App::isEnabled($app) && $app_path !== false && OC_Helper::issubdirectory($file, $app_path)) { unset($app, $app_path); if (file_exists($file)) { require_once $file; |