diff options
Diffstat (limited to 'apps/dav/lib/Files')
| -rw-r--r-- | apps/dav/lib/Files/FileSearchBackend.php | 4 | ||||
| -rw-r--r-- | apps/dav/lib/Files/LazySearchBackend.php | 1 | ||||
| -rw-r--r-- | apps/dav/lib/Files/Sharing/FilesDropPlugin.php | 25 |
3 files changed, 24 insertions, 6 deletions
diff --git a/apps/dav/lib/Files/FileSearchBackend.php b/apps/dav/lib/Files/FileSearchBackend.php index ace367e4490..eb548bbd55c 100644 --- a/apps/dav/lib/Files/FileSearchBackend.php +++ b/apps/dav/lib/Files/FileSearchBackend.php @@ -1,4 +1,5 @@ <?php + /** * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors * SPDX-License-Identifier: AGPL-3.0-or-later @@ -15,6 +16,7 @@ use OCA\DAV\Connector\Sabre\CachingTree; use OCA\DAV\Connector\Sabre\Directory; use OCA\DAV\Connector\Sabre\File; use OCA\DAV\Connector\Sabre\FilesPlugin; +use OCA\DAV\Connector\Sabre\Server; use OCA\DAV\Connector\Sabre\TagsPlugin; use OCP\Files\Cache\ICacheEntry; use OCP\Files\Folder; @@ -44,6 +46,7 @@ class FileSearchBackend implements ISearchBackend { public const OPERATOR_LIMIT = 100; public function __construct( + private Server $server, private CachingTree $tree, private IUser $user, private IRootFolder $rootFolder, @@ -133,6 +136,7 @@ class FileSearchBackend implements ISearchBackend { * @param string[] $requestProperties */ public function preloadPropertyFor(array $nodes, array $requestProperties): void { + $this->server->emit('preloadProperties', [$nodes, $requestProperties]); } private function getFolderForPath(?string $path = null): Folder { diff --git a/apps/dav/lib/Files/LazySearchBackend.php b/apps/dav/lib/Files/LazySearchBackend.php index a0ad730ff2b..6ba539ddd87 100644 --- a/apps/dav/lib/Files/LazySearchBackend.php +++ b/apps/dav/lib/Files/LazySearchBackend.php @@ -1,4 +1,5 @@ <?php + /** * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors * SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/apps/dav/lib/Files/Sharing/FilesDropPlugin.php b/apps/dav/lib/Files/Sharing/FilesDropPlugin.php index 9aee5283ea9..a3dbd32ce6b 100644 --- a/apps/dav/lib/Files/Sharing/FilesDropPlugin.php +++ b/apps/dav/lib/Files/Sharing/FilesDropPlugin.php @@ -1,4 +1,5 @@ <?php + /** * SPDX-FileCopyrightText: 2016 Nextcloud GmbH and Nextcloud contributors * SPDX-License-Identifier: AGPL-3.0-or-later @@ -8,6 +9,7 @@ namespace OCA\DAV\Files\Sharing; use OCP\Files\Folder; use OCP\Files\NotFoundException; use OCP\Share\IShare; +use Sabre\DAV\Exception\BadRequest; use Sabre\DAV\Exception\MethodNotAllowed; use Sabre\DAV\ServerPlugin; use Sabre\HTTP\RequestInterface; @@ -71,13 +73,12 @@ class FilesDropPlugin extends ServerPlugin { ? trim(urldecode($request->getHeader('X-NC-Nickname'))) : null; - // if ($request->getMethod() !== 'PUT') { // If uploading subfolders we need to ensure they get created // within the nickname folder if ($request->getMethod() === 'MKCOL') { if (!$nickname) { - throw new MethodNotAllowed('A nickname header is required when uploading subfolders'); + throw new BadRequest('A nickname header is required when uploading subfolders'); } } else { throw new MethodNotAllowed('Only PUT is allowed on files drop'); @@ -113,7 +114,7 @@ class FilesDropPlugin extends ServerPlugin { // We need a valid nickname for file requests if ($isFileRequest && !$nickname) { - throw new MethodNotAllowed('A nickname header is required for file requests'); + throw new BadRequest('A nickname header is required for file requests'); } // We're only allowing the upload of @@ -121,12 +122,24 @@ class FilesDropPlugin extends ServerPlugin { // This prevents confusion when uploading files and help // classify them by uploaders. if (!$nickname && !$isRootUpload) { - throw new MethodNotAllowed('A nickname header is required when uploading subfolders'); + throw new BadRequest('A nickname header is required when uploading subfolders'); } - // If we have a nickname, let's put everything inside if ($nickname) { - // Put all files in the subfolder + try { + $node->verifyPath($nickname); + } catch (\Exception $e) { + // If the path is not valid, we throw an exception + throw new BadRequest('Invalid nickname: ' . $nickname); + } + + // Forbid nicknames starting with a dot + if (str_starts_with($nickname, '.')) { + throw new BadRequest('Invalid nickname: ' . $nickname); + } + + // If we have a nickname, let's put + // all files in the subfolder $relativePath = '/' . $nickname . '/' . $relativePath; $relativePath = str_replace('//', '/', $relativePath); } |