Filter potential dangerous filenames for avatars

We don't want to have users misusing this API resulting in a potential file disclosure of "avatar.(jpg|png)" files.
author: Lukas Reschke <lukas@owncloud.com> 2015-04-28 16:57:23 +0200
committer: Lukas Reschke <lukas@owncloud.com> 2015-04-28 16:57:23 +0200
commit: 34d0e610ccb2f188954b33d87b4ad806a2de66fc (patch)
tree: 542d9241fd5b91ad810351dbfcf338a79f7ef8ea /tests
parent: 132ce04f319661ac33d3f83e013075a4d4e942d9 (diff)
download: nextcloud-server-34d0e610ccb2f188954b33d87b4ad806a2de66fc.tar.gz
nextcloud-server-34d0e610ccb2f188954b33d87b4ad806a2de66fc.zip
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/lib/avatar.php b/tests/lib/avatar.php
index 9e1f367108d..badee9f34d1 100644
--- a/tests/lib/avatar.php
+++ b/tests/lib/avatar.php
@@ -34,6 +34,29 @@ class Test_Avatar extends \Test\TestCase {
 		}
 	}
 
+	/**
+	 * @return array
+	 */
+	public function traversalProvider() {
+		return [
+			['Pot\..\entiallyDangerousUsername'],
+			['Pot/..\entiallyDangerousUsername'],
+			['PotentiallyDangerousUsername/..'],
+			['PotentiallyDangerousUsername\../'],
+			['/../PotentiallyDangerousUsername'],
+		];
+	}
+
+	/**
+	 * @dataProvider traversalProvider
+	 * @expectedException \Exception
+	 * @expectedExceptionMessage Username may not contain slashes
+	 * @param string $dangerousUsername
+	 */
+	public function testAvatarTraversal($dangerousUsername) {
+		new Avatar($dangerousUsername);
+	}
+
 	public function testAvatar() {
 
 		$avatar = new Avatar($this->user);
author	Lukas Reschke <lukas@owncloud.com>	2015-04-28 16:57:23 +0200
committer	Lukas Reschke <lukas@owncloud.com>	2015-04-28 16:57:23 +0200
commit	34d0e610ccb2f188954b33d87b4ad806a2de66fc (patch)
tree	542d9241fd5b91ad810351dbfcf338a79f7ef8ea /tests
parent	132ce04f319661ac33d3f83e013075a4d4e942d9 (diff)
download	nextcloud-server-34d0e610ccb2f188954b33d87b4ad806a2de66fc.tar.gz nextcloud-server-34d0e610ccb2f188954b33d87b4ad806a2de66fc.zip