Merge pull request #1569 from owncloud/clean-app-id

Remove invalid characters from app id to prevent loading of invalid reso...

3 files changed, 11 insertions, 2 deletions

diff --git a/lib/app.php b/lib/app.php
index 3a4e21e8cd1..54f16d6bdcd 100644
--- a/lib/app.php
+++ b/lib/app.php
@@ -39,6 +39,15 @@ class OC_App{
 	static private $altLogin = array();
 
 	/**
+	 * @brief clean the appid
+	 * @param $app Appid that needs to be cleaned
+	 * @return string
+	 */
+	public static function cleanAppId($app) {
+		return str_replace(array('\0', '/', '\\', '..'), '', $app);
+	}
+
+	/**
 	 * @brief loads all apps
 	 * @param array $types
 	 * @return bool
diff --git a/lib/base.php b/lib/base.php
index 84e9b0c2eeb..5bca1cde2d5 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -468,7 +468,7 @@ class OC {
 		register_shutdown_function(array('OC_Helper', 'cleanTmp'));
 
 		//parse the given parameters
-		self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app']) ? str_replace(array('\0', '/', '\\', '..'), '', strip_tags($_GET['app'])) : OC_Config::getValue('defaultapp', 'files'));
+		self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app']) ? OC_App::cleanAppId(strip_tags($_GET['app'])) : OC_Config::getValue('defaultapp', 'files'));
 		if (substr_count(self::$REQUESTEDAPP, '?') != 0) {
 			$app = substr(self::$REQUESTEDAPP, 0, strpos(self::$REQUESTEDAPP, '?'));
 			$param = substr($_GET['app'], strpos($_GET['app'], '?') + 1);
diff --git a/lib/l10n.php b/lib/l10n.php
index ee879009265..e272bcd79f3 100644
--- a/lib/l10n.php
+++ b/lib/l10n.php
@@ -97,7 +97,7 @@ class OC_L10N{
 		if ($this->app === true) {
 			return;
 		}
-		$app = $this->app;
+		$app = OC_App::cleanAppId($this->app);
 		$lang = $this->lang;
 		$this->app = true;
 		// Find the right language