1 files changed, 30 insertions, 1 deletions

diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
index 9cc9c279700..d243b6ad97e 100644
--- a/apps/files/ajax/upload.php
+++ b/apps/files/ajax/upload.php
@@ -43,6 +43,7 @@ OCP\JSON::setContentTypeHeader('text/plain');
 // If no token is sent along, rely on login only
 
 $errorCode = null;
+$errorFileName = null;
 
 $l = \OC::$server->getL10N('files');
 if (empty($_POST['dirToken'])) {
@@ -161,6 +162,15 @@ if (\OC\Files\Filesystem::isValidPath($dir) === true) {
 			$resolution = null;
 		}
 
+		if(isset($_POST['dirToken'])) {
+			// If it is a read only share the resolution will always be autorename
+			$shareManager = \OC::$server->getShareManager();
+			$share = $shareManager->getShareByToken((string)$_POST['dirToken']);
+			if (!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+				$resolution = 'autorename';
+			}
+		}
+
 		// target directory for when uploading folders
 		$relativePath = '';
 		if(!empty($_POST['file_directory'])) {
@@ -216,6 +226,7 @@ if (\OC\Files\Filesystem::isValidPath($dir) === true) {
 
 				} else {
 					$error = $l->t('Upload failed. Could not find uploaded file');
+					$errorFileName = $files['name'][$i];
 				}
 			} catch(Exception $ex) {
 				$error = $ex->getMessage();
@@ -247,7 +258,25 @@ if (\OC\Files\Filesystem::isValidPath($dir) === true) {
 }
 
 if ($error === false) {
+	// Do not leak file information if it is a read-only share
+	if(isset($_POST['dirToken'])) {
+		$shareManager = \OC::$server->getShareManager();
+		$share = $shareManager->getShareByToken((string)$_POST['dirToken']);
+		if (!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+			$newResults = [];
+			foreach($result as $singleResult) {
+				$fileName = $singleResult['originalname'];
+				$newResults['filename'] = $fileName;
+				$newResults['mimetype'] = \OC::$server->getMimeTypeDetector()->detectPath($fileName);
+			}
+			$result = $newResults;
+		}
+	}
 	OCP\JSON::encodedPrint($result);
 } else {
-	OCP\JSON::error(array(array('data' => array_merge(array('message' => $error, 'code' => $errorCode), $storageStats))));
+	OCP\JSON::error(array(array('data' => array_merge(array(
+		'message' => $error,
+		'code' => $errorCode,
+		'filename' => $errorFileName
+	), $storageStats))));
 }