Merge pull request #16107 from nextcloud/local-check-path

verify that paths are valid for recursive local move

1 files changed, 21 insertions, 0 deletions

diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php
index 5f7232e64b3..e3e6ac783d9 100644
--- a/lib/private/Files/Storage/Local.php
+++ b/lib/private/Files/Storage/Local.php
@@ -39,6 +39,7 @@
 
 namespace OC\Files\Storage;
 
+use OC\Files\Filesystem;
 use OC\Files\Storage\Wrapper\Jail;
 use OCP\Files\ForbiddenException;
 use OCP\Files\Storage\IStorage;
@@ -231,6 +232,18 @@ class Local extends \OC\Files\Storage\Common {
 
 	}
 
+	private function treeContainsBlacklistedFile(string $path): bool {
+		$iterator = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($path));
+		foreach ($iterator as $file) {
+			/** @var \SplFileInfo $file */
+			if (Filesystem::isFileBlacklisted($file->getBasename())) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+
 	public function rename($path1, $path2) {
 		$srcParent = dirname($path1);
 		$dstParent = dirname($path2);
@@ -267,6 +280,10 @@ class Local extends \OC\Files\Storage\Common {
 				}
 				return $result;
 			}
+
+			if ($this->treeContainsBlacklistedFile($this->getSourcePath($path1))) {
+				throw new ForbiddenException('Invalid path', false);
+			}
 		}
 
 		return rename($this->getSourcePath($path1), $this->getSourcePath($path2));
@@ -362,6 +379,10 @@ class Local extends \OC\Files\Storage\Common {
 	 * @throws ForbiddenException
 	 */
 	public function getSourcePath($path) {
+		if (Filesystem::isFileBlacklisted($path)) {
+			throw new ForbiddenException('Invalid path', false);
+		}
+
 		$fullPath = $this->datadir . $path;
 		$currentPath = $path;
 		if ($this->allowSymlinks || $currentPath === '') {