5 files changed, 174 insertions, 22 deletions
diff --git a/lib/connector/sabre/aborteduploaddetectionplugin.php b/lib/connector/sabre/aborteduploaddetectionplugin.php
new file mode 100644
index 00000000000..15dca3a6809
--- /dev/null
+++ b/lib/connector/sabre/aborteduploaddetectionplugin.php
@@ -0,0 +1,101 @@
+<?php
+/**
+ * Copyright (c) 2013 Thomas Müller <thomas.mueller@tmit.eu>
+ * This file is licensed under the Affero General Public License version 3 or
+ * later.
+ * See the COPYING-README file.
+ */
+
+/**
+ * Class OC_Connector_Sabre_AbortedUploadDetectionPlugin
+ *
+ * This plugin will verify if the uploaded data has been stored completely.
+ * This is done by comparing the content length of the request with the file size on storage.
+ */
+class OC_Connector_Sabre_AbortedUploadDetectionPlugin extends Sabre_DAV_ServerPlugin {
+
+	/**
+	 * Reference to main server object
+	 *
+	 * @var Sabre_DAV_Server
+	 */
+	private $server;
+
+	/**
+	 * is kept public to allow overwrite for unit testing
+	 *
+	 * @var \OC\Files\View
+	 */
+	public $fileView;
+
+	/**
+	 * This initializes the plugin.
+	 *
+	 * This function is called by Sabre_DAV_Server, after
+	 * addPlugin is called.
+	 *
+	 * This method should set up the requires event subscriptions.
+	 *
+	 * @param Sabre_DAV_Server $server
+	 */
+	public function initialize(Sabre_DAV_Server $server) {
+
+		$this->server = $server;
+
+		$server->subscribeEvent('afterCreateFile', array($this, 'verifyContentLength'), 10);
+		$server->subscribeEvent('afterWriteContent', array($this, 'verifyContentLength'), 10);
+	}
+
+	/**
+	 * @param $filePath
+	 * @param Sabre_DAV_INode $node
+	 * @throws Sabre_DAV_Exception_BadRequest
+	 */
+	public function verifyContentLength($filePath, Sabre_DAV_INode $node = null) {
+
+		// ownCloud chunked upload will be handled in its own plugin
+		$chunkHeader = $this->server->httpRequest->getHeader('OC-Chunked');
+		if ($chunkHeader) {
+			return;
+		}
+
+		// compare expected and actual size
+		$expected = $this->getLength();
+		if (!$expected) {
+			return;
+		}
+		$actual = $this->getFileView()->filesize($filePath);
+		if ($actual != $expected) {
+			$this->getFileView()->unlink($filePath);
+			throw new Sabre_DAV_Exception_BadRequest('expected filesize ' . $expected . ' got ' . $actual);
+		}
+
+	}
+
+	/**
+	 * @return string
+	 */
+	public function getLength()
+	{
+		$req = $this->server->httpRequest;
+		$length = $req->getHeader('X-Expected-Entity-Length');
+		if (!$length) {
+			$length = $req->getHeader('Content-Length');
+		}
+
+		return $length;
+	}
+
+	/**
+	 * @return \OC\Files\View
+	 */
+	public function getFileView()
+	{
+		if (is_null($this->fileView)) {
+			// initialize fileView
+			$this->fileView = \OC\Files\Filesystem::getView();
+		}
+
+		return $this->fileView;
+	}
+}
diff --git a/lib/connector/sabre/directory.php b/lib/connector/sabre/directory.php
index 66cd2fcd4e3..382bdf06df1 100644
--- a/lib/connector/sabre/directory.php
+++ b/lib/connector/sabre/directory.php
@@ -74,21 +74,14 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
 
 			\OC\Files\Filesystem::file_put_contents($partpath, $data);
 
-			//detect aborted upload
-			if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT' ) {
-				if (isset($_SERVER['CONTENT_LENGTH'])) {
-					$expected = $_SERVER['CONTENT_LENGTH'];
-					$actual = \OC\Files\Filesystem::filesize($partpath);
-					if ($actual != $expected) {
-						\OC\Files\Filesystem::unlink($partpath);
-						throw new Sabre_DAV_Exception_BadRequest(
-								'expected filesize ' . $expected . ' got ' . $actual);
-					}
-				}
-			}
-
 			// rename to correct path
-			\OC\Files\Filesystem::rename($partpath, $newPath);
+			$renameOkay = \OC\Files\Filesystem::rename($partpath, $newPath);
+			$fileExists = \OC\Files\Filesystem::file_exists($newPath);
+			if ($renameOkay === false || $fileExists === false) {
+				\OC_Log::write('webdav', '\OC\Files\Filesystem::rename() failed', \OC_Log::ERROR);
+				\OC\Files\Filesystem::unlink($partpath);
+				throw new Sabre_DAV_Exception();
+			}
 
 			// allow sync clients to send the mtime along in a header
 			$mtime = OC_Request::hasModificationTime();
@@ -236,7 +229,7 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
 		$storageInfo = OC_Helper::getStorageInfo($this->path);
 		return array(
 			$storageInfo['used'],
-			$storageInfo['total']
+			$storageInfo['free']
 		);
 
 	}
diff --git a/lib/connector/sabre/file.php b/lib/connector/sabre/file.php
index 61bdcd5e0ae..433b1148552 100644
--- a/lib/connector/sabre/file.php
+++ b/lib/connector/sabre/file.php
@@ -74,7 +74,14 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 		}
 
 		// rename to correct path
-		\OC\Files\Filesystem::rename($partpath, $this->path);
+		$renameOkay = \OC\Files\Filesystem::rename($partpath, $this->path);
+		$fileExists = \OC\Files\Filesystem::file_exists($this->path);
+		if ($renameOkay === false || $fileExists === false) {
+			\OC_Log::write('webdav', '\OC\Files\Filesystem::rename() failed', \OC_Log::ERROR);
+			\OC\Files\Filesystem::unlink($partpath);
+			throw new Sabre_DAV_Exception();
+		}
+
 
 		//allow sync clients to send the mtime along in a header
 		$mtime = OC_Request::hasModificationTime();
diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 0bffa58af78..29b7f9e53a5 100644
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 */
 	public function setName($name) {
 
+		// rename is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
 		list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
 
@@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 *  Even if the modification time is set to a custom value the access time is set to now.
 	 */
 	public function touch($mtime) {
+
+		// touch is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		\OC\Files\Filesystem::touch($this->path, $mtime);
 	}
 
diff --git a/lib/connector/sabre/objecttree.php b/lib/connector/sabre/objecttree.php
index b298813a202..80c3840b99d 100644
--- a/lib/connector/sabre/objecttree.php
+++ b/lib/connector/sabre/objecttree.php
@@ -11,6 +11,14 @@ namespace OC\Connector\Sabre;
 use OC\Files\Filesystem;
 
 class ObjectTree extends \Sabre_DAV_ObjectTree {
+
+	/**
+	 * keep this public to allow mock injection during unit test
+	 *
+	 * @var \OC\Files\View
+	 */
+	public $fileView;
+
 	/**
 	 * Returns the INode object for the requested path
 	 *
@@ -21,14 +29,16 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 	public function getNodeForPath($path) {
 
 		$path = trim($path, '/');
-		if (isset($this->cache[$path])) return $this->cache[$path];
+		if (isset($this->cache[$path])) {
+			return $this->cache[$path];
+		}
 
 		// Is it the root node?
 		if (!strlen($path)) {
 			return $this->rootNode;
 		}
 
-		$info = Filesystem::getFileInfo($path);
+		$info = $this->getFileView()->getFileInfo($path);
 
 		if (!$info) {
 			throw new \Sabre_DAV_Exception_NotFound('File with name ' . $path . ' could not be located');
@@ -64,7 +74,25 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 		list($sourceDir,) = \Sabre_DAV_URLUtil::splitPath($sourcePath);
 		list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destinationPath);
 
-		Filesystem::rename($sourcePath, $destinationPath);
+		// check update privileges
+		$fs = $this->getFileView();
+		if (!$fs->isUpdatable($sourcePath)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+		if ($sourceDir !== $destinationDir) {
+			// for a full move we need update privileges on sourcePath and sourceDir as well as destinationDir
+			if (!$fs->isUpdatable($sourceDir)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+			if (!$fs->isUpdatable($destinationDir)) {
+				throw new \Sabre_DAV_Exception_Forbidden();
+			}
+		}
+
+		$renameOkay = $fs->rename($sourcePath, $destinationPath);
+		if (!$renameOkay) {
+			throw new \Sabre_DAV_Exception_Forbidden('');
+		}
 
 		$this->markDirty($sourceDir);
 		$this->markDirty($destinationDir);
@@ -88,15 +116,27 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
 		} else {
 			Filesystem::mkdir($destination);
 			$dh = Filesystem::opendir($source);
-			while (($subnode = readdir($dh)) !== false) {
+			if(is_resource($dh)) {
+				while (($subnode = readdir($dh)) !== false) {
 
-				if ($subnode == '.' || $subnode == '..') continue;
-				$this->copy($source . '/' . $subnode, $destination . '/' . $subnode);
+					if ($subnode == '.' || $subnode == '..') continue;
+					$this->copy($source . '/' . $subnode, $destination . '/' . $subnode);
 
+				}
 			}
 		}
 
 		list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destination);
 		$this->markDirty($destinationDir);
 	}
+
+	/**
+	 * @return \OC\Files\View
+	 */
+	public function getFileView() {
+		if (is_null($this->fileView)) {
+			$this->fileView = \OC\Files\Filesystem::getView();
+		}
+		return $this->fileView;
+	}
 }