diff options
Diffstat (limited to 'lib/connector')
| -rw-r--r-- | lib/connector/sabre/directory.php | 15 | ||||
| -rw-r--r-- | lib/connector/sabre/file.php | 15 | ||||
| -rw-r--r-- | lib/connector/sabre/locks.php | 4 | ||||
| -rw-r--r-- | lib/connector/sabre/node.php | 4 |
4 files changed, 33 insertions, 5 deletions
diff --git a/lib/connector/sabre/directory.php b/lib/connector/sabre/directory.php index 6ccb54b79ab..3d15a2a584d 100644 --- a/lib/connector/sabre/directory.php +++ b/lib/connector/sabre/directory.php @@ -45,9 +45,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa * * @param string $name Name of the file * @param resource|string $data Initial payload + * @throws Sabre_DAV_Exception_Forbidden * @return null|string */ public function createFile($name, $data = null) { + + if (!\OC\Files\Filesystem::isCreatable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } + if (isset($_SERVER['HTTP_OC_CHUNKED'])) { $info = OC_FileChunking::decodeName($name); if (empty($info)) { @@ -102,10 +108,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa * Creates a new subdirectory * * @param string $name + * @throws Sabre_DAV_Exception_Forbidden * @return void */ public function createDirectory($name) { + if (!\OC\Files\Filesystem::isCreatable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } + $newPath = $this->path . '/' . $name; if(!\OC\Files\Filesystem::mkdir($newPath)) { throw new Sabre_DAV_Exception_Forbidden('Could not create directory '.$newPath); @@ -203,9 +214,13 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa * Deletes all files in this directory, and then itself * * @return void + * @throws Sabre_DAV_Exception_Forbidden */ public function delete() { + if (!\OC\Files\Filesystem::isDeletable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } if ($this->path != "/Shared") { foreach($this->getChildren() as $child) $child->delete(); \OC\Files\Filesystem::rmdir($this->path); diff --git a/lib/connector/sabre/file.php b/lib/connector/sabre/file.php index 91646312e90..438d9871c22 100644 --- a/lib/connector/sabre/file.php +++ b/lib/connector/sabre/file.php @@ -41,24 +41,29 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D * return an ETag, and just return null. * * @param resource $data + * @throws Sabre_DAV_Exception_Forbidden * @return string|null */ public function put($data) { + if (!\OC\Files\Filesystem::isUpdatable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } + // mark file as partial while uploading (ignored by the scanner) $partpath = $this->path . '.part'; \OC\Files\Filesystem::file_put_contents($partpath, $data); //detect aborted upload - if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT' ) { + if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT') { if (isset($_SERVER['CONTENT_LENGTH'])) { $expected = $_SERVER['CONTENT_LENGTH']; $actual = \OC\Files\Filesystem::filesize($partpath); if ($actual != $expected) { \OC\Files\Filesystem::unlink($partpath); throw new Sabre_DAV_Exception_BadRequest( - 'expected filesize ' . $expected . ' got ' . $actual); + 'expected filesize ' . $expected . ' got ' . $actual); } } } @@ -69,7 +74,7 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D //allow sync clients to send the mtime along in a header $mtime = OC_Request::hasModificationTime(); if ($mtime !== false) { - if(\OC\Files\Filesystem::touch($this->path, $mtime)) { + if (\OC\Files\Filesystem::touch($this->path, $mtime)) { header('X-OC-MTime: accepted'); } } @@ -92,9 +97,13 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D * Delete the current file * * @return void + * @throws Sabre_DAV_Exception_Forbidden */ public function delete() { + if (!\OC\Files\Filesystem::isDeletable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } \OC\Files\Filesystem::unlink($this->path); } diff --git a/lib/connector/sabre/locks.php b/lib/connector/sabre/locks.php index e057b059947..69496c15ada 100644 --- a/lib/connector/sabre/locks.php +++ b/lib/connector/sabre/locks.php @@ -176,6 +176,10 @@ class OC_Connector_Sabre_Locks extends Sabre_DAV_Locks_Backend_Abstract { public function unlock($uri, Sabre_DAV_Locks_LockInfo $lockInfo) { $sql = 'DELETE FROM `*PREFIX*locks` WHERE `userid` = ? AND `uri` = ? AND `token` = ?'; + if (OC_Config::getValue( "dbtype") === 'oci') { + //FIXME oracle hack: need to explicitly cast CLOB to CHAR for comparison + $sql = 'DELETE FROM `*PREFIX*locks` WHERE `userid` = ? AND to_char(`uri`) = ? AND `token` = ?'; + } $result = OC_DB::executeAudited( $sql, array(OC_User::getUser(), $uri, $lockInfo->token)); return $result === 1; diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php index 1ffa048d6b2..0bffa58af78 100644 --- a/lib/connector/sabre/node.php +++ b/lib/connector/sabre/node.php @@ -189,8 +189,8 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr */ public function getProperties($properties) { if (is_null($this->property_cache)) { - $query = OC_DB::prepare( 'SELECT * FROM `*PREFIX*properties` WHERE `userid` = ? AND `propertypath` = ?' ); - $result = $query->execute( array( OC_User::getUser(), $this->path )); + $sql = 'SELECT * FROM `*PREFIX*properties` WHERE `userid` = ? AND `propertypath` = ?'; + $result = OC_DB::executeAudited( $sql, array( OC_User::getUser(), $this->path ) ); $this->property_cache = array(); while( $row = $result->fetchRow()) { |