diff options
Diffstat (limited to 'apps/dav/lib/BulkUpload')
| -rw-r--r-- | apps/dav/lib/BulkUpload/BulkUploadPlugin.php | 24 | ||||
| -rw-r--r-- | apps/dav/lib/BulkUpload/MultipartRequestParser.php | 68 |
2 files changed, 53 insertions, 39 deletions
diff --git a/apps/dav/lib/BulkUpload/BulkUploadPlugin.php b/apps/dav/lib/BulkUpload/BulkUploadPlugin.php index ae7f55d7107..d4faf3764e1 100644 --- a/apps/dav/lib/BulkUpload/BulkUploadPlugin.php +++ b/apps/dav/lib/BulkUpload/BulkUploadPlugin.php @@ -1,4 +1,5 @@ <?php + /** * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors * SPDX-License-Identifier: AGPL-3.0-only @@ -17,15 +18,10 @@ use Sabre\HTTP\RequestInterface; use Sabre\HTTP\ResponseInterface; class BulkUploadPlugin extends ServerPlugin { - private Folder $userFolder; - private LoggerInterface $logger; - public function __construct( - Folder $userFolder, - LoggerInterface $logger + private Folder $userFolder, + private LoggerInterface $logger, ) { - $this->userFolder = $userFolder; - $this->logger = $logger; } /** @@ -44,7 +40,7 @@ class BulkUploadPlugin extends ServerPlugin { */ public function httpPost(RequestInterface $request, ResponseInterface $response): bool { // Limit bulk upload to the /dav/bulk endpoint - if ($request->getPath() !== "bulk") { + if ($request->getPath() !== 'bulk') { return true; } @@ -77,16 +73,16 @@ class BulkUploadPlugin extends ServerPlugin { $node = $this->userFolder->getFirstNodeById($node->getId()); $writtenFiles[$headers['x-file-path']] = [ - "error" => false, - "etag" => $node->getETag(), - "fileid" => DavUtil::getDavFileId($node->getId()), - "permissions" => DavUtil::getDavPermissions($node), + 'error' => false, + 'etag' => $node->getETag(), + 'fileid' => DavUtil::getDavFileId($node->getId()), + 'permissions' => DavUtil::getDavPermissions($node), ]; } catch (\Exception $e) { $this->logger->error($e->getMessage(), ['path' => $headers['x-file-path']]); $writtenFiles[$headers['x-file-path']] = [ - "error" => true, - "message" => $e->getMessage(), + 'error' => true, + 'message' => $e->getMessage(), ]; } } diff --git a/apps/dav/lib/BulkUpload/MultipartRequestParser.php b/apps/dav/lib/BulkUpload/MultipartRequestParser.php index 2d3cf7d421c..50f8cff76ba 100644 --- a/apps/dav/lib/BulkUpload/MultipartRequestParser.php +++ b/apps/dav/lib/BulkUpload/MultipartRequestParser.php @@ -1,4 +1,5 @@ <?php + /** * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors * SPDX-License-Identifier: AGPL-3.0-only @@ -19,10 +20,10 @@ class MultipartRequestParser { private $stream; /** @var string */ - private $boundary = ""; + private $boundary = ''; /** @var string */ - private $lastBoundary = ""; + private $lastBoundary = ''; /** * @throws BadRequest @@ -39,14 +40,14 @@ class MultipartRequestParser { } if ($contentType === null) { - throw new BadRequest("Content-Type can not be null"); + throw new BadRequest('Content-Type can not be null'); } $this->stream = $stream; $boundary = $this->parseBoundaryFromHeaders($contentType); - $this->boundary = '--'.$boundary."\r\n"; - $this->lastBoundary = '--'.$boundary."--\r\n"; + $this->boundary = '--' . $boundary . "\r\n"; + $this->lastBoundary = '--' . $boundary . "--\r\n"; } /** @@ -57,10 +58,16 @@ class MultipartRequestParser { */ private function parseBoundaryFromHeaders(string $contentType): string { try { + if (!str_contains($contentType, ';')) { + throw new \InvalidArgumentException('No semicolon in header'); + } [$mimeType, $boundary] = explode(';', $contentType); + if (!str_contains($boundary, '=')) { + throw new \InvalidArgumentException('No equal in boundary header'); + } [$boundaryKey, $boundaryValue] = explode('=', $boundary); } catch (\Exception $e) { - throw new BadRequest("Error while parsing boundary in Content-Type header.", Http::STATUS_BAD_REQUEST, $e); + throw new BadRequest('Error while parsing boundary in Content-Type header.', Http::STATUS_BAD_REQUEST, $e); } $boundaryValue = trim($boundaryValue); @@ -96,7 +103,7 @@ class MultipartRequestParser { $seekBackResult = fseek($this->stream, -$expectedContentLength, SEEK_CUR); if ($seekBackResult === -1) { - throw new Exception("Unknown error while seeking content", Http::STATUS_INTERNAL_SERVER_ERROR); + throw new Exception('Unknown error while seeking content', Http::STATUS_INTERNAL_SERVER_ERROR); } return $expectedContent === $content; @@ -134,7 +141,10 @@ class MultipartRequestParser { $headers = $this->readPartHeaders(); - $content = $this->readPartContent($headers["content-length"], $headers["x-file-md5"]); + $length = (int)$headers['content-length']; + + $this->validateHash($length, $headers['x-file-md5'] ?? '', $headers['oc-checksum'] ?? ''); + $content = $this->readPartContent($length); return [$headers, $content]; } @@ -146,7 +156,7 @@ class MultipartRequestParser { */ private function readBoundary(): string { if (!$this->isAtBoundary()) { - throw new BadRequest("Boundary not found where it should be."); + throw new BadRequest('Boundary not found where it should be.'); } return fread($this->stream, strlen($this->boundary)); @@ -180,12 +190,13 @@ class MultipartRequestParser { } } - if (!isset($headers["content-length"])) { - throw new LengthRequired("The Content-Length header must not be null."); + if (!isset($headers['content-length'])) { + throw new LengthRequired('The Content-Length header must not be null.'); } - if (!isset($headers["x-file-md5"])) { - throw new BadRequest("The X-File-MD5 header must not be null."); + // TODO: Drop $md5 condition when the latest desktop client that uses it is no longer supported. + if (!isset($headers['x-file-md5']) && !isset($headers['oc-checksum'])) { + throw new BadRequest('The hash headers must not be null.'); } return $headers; @@ -197,13 +208,7 @@ class MultipartRequestParser { * @throws Exception * @throws BadRequest */ - private function readPartContent(int $length, string $md5): string { - $computedMd5 = $this->computeMd5Hash($length); - - if ($md5 !== $computedMd5) { - throw new BadRequest("Computed md5 hash is incorrect."); - } - + private function readPartContent(int $length): string { if ($length === 0) { $content = ''; } else { @@ -215,7 +220,7 @@ class MultipartRequestParser { } if ($length !== 0 && feof($this->stream)) { - throw new Exception("Unexpected EOF while reading stream."); + throw new Exception('Unexpected EOF while reading stream.'); } // Read '\r\n'. @@ -225,12 +230,25 @@ class MultipartRequestParser { } /** - * Compute the MD5 hash of the next x bytes. + * Compute the MD5 or checksum hash of the next x bytes. + * TODO: Drop $md5 argument when the latest desktop client that uses it is no longer supported. */ - private function computeMd5Hash(int $length): string { - $context = hash_init('md5'); + private function validateHash(int $length, string $fileMd5Header, string $checksumHeader): void { + if ($checksumHeader !== '') { + [$algorithm, $hash] = explode(':', $checksumHeader, 2); + } elseif ($fileMd5Header !== '') { + $algorithm = 'md5'; + $hash = $fileMd5Header; + } else { + throw new BadRequest('No hash provided.'); + } + + $context = hash_init($algorithm); hash_update_stream($context, $this->stream, $length); fseek($this->stream, -$length, SEEK_CUR); - return hash_final($context); + $computedHash = hash_final($context); + if ($hash !== $computedHash) { + throw new BadRequest("Computed $algorithm hash is incorrect ($computedHash)."); + } } } |