5 files changed, 71 insertions, 24 deletions
diff --git a/lib/connector/sabre/directory.php b/lib/connector/sabre/directory.php
index 6ccb54b79ab..3d15a2a584d 100644
--- a/lib/connector/sabre/directory.php
+++ b/lib/connector/sabre/directory.php
@@ -45,9 +45,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
 	 *
 	 * @param string $name Name of the file
 	 * @param resource|string $data Initial payload
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 * @return null|string
 	 */
 	public function createFile($name, $data = null) {
+
+		if (!\OC\Files\Filesystem::isCreatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		if (isset($_SERVER['HTTP_OC_CHUNKED'])) {
 			$info = OC_FileChunking::decodeName($name);
 			if (empty($info)) {
@@ -102,10 +108,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
 	 * Creates a new subdirectory
 	 *
 	 * @param string $name
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 * @return void
 	 */
 	public function createDirectory($name) {
 
+		if (!\OC\Files\Filesystem::isCreatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		$newPath = $this->path . '/' . $name;
 		if(!\OC\Files\Filesystem::mkdir($newPath)) {
 			throw new Sabre_DAV_Exception_Forbidden('Could not create directory '.$newPath);
@@ -203,9 +214,13 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
 	 * Deletes all files in this directory, and then itself
 	 *
 	 * @return void
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 */
 	public function delete() {
 
+		if (!\OC\Files\Filesystem::isDeletable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
 		if ($this->path != "/Shared") {
 			foreach($this->getChildren() as $child) $child->delete();
 			\OC\Files\Filesystem::rmdir($this->path);
diff --git a/lib/connector/sabre/file.php b/lib/connector/sabre/file.php
index 617be508b16..06ab73e3e4d 100644
--- a/lib/connector/sabre/file.php
+++ b/lib/connector/sabre/file.php
@@ -41,24 +41,29 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 	 * return an ETag, and just return null.
 	 *
 	 * @param resource $data
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 * @return string|null
 	 */
 	public function put($data) {
 
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		// mark file as partial while uploading (ignored by the scanner)
 		$partpath = $this->path . '.part';
 
 		\OC\Files\Filesystem::file_put_contents($partpath, $data);
 
 		//detect aborted upload
-		if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT' ) {
+		if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT') {
 			if (isset($_SERVER['CONTENT_LENGTH'])) {
 				$expected = $_SERVER['CONTENT_LENGTH'];
 				$actual = \OC\Files\Filesystem::filesize($partpath);
 				if ($actual != $expected) {
 					\OC\Files\Filesystem::unlink($partpath);
 					throw new Sabre_DAV_Exception_BadRequest(
-							'expected filesize ' . $expected . ' got ' . $actual);
+						'expected filesize ' . $expected . ' got ' . $actual);
 				}
 			}
 		}
@@ -69,7 +74,7 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 		//allow sync clients to send the mtime along in a header
 		$mtime = OC_Request::hasModificationTime();
 		if ($mtime !== false) {
-			if(\OC\Files\Filesystem::touch($this->path, $mtime)) {
+			if (\OC\Files\Filesystem::touch($this->path, $mtime)) {
 				header('X-OC-MTime: accepted');
 			}
 		}
@@ -92,9 +97,13 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 	 * Delete the current file
 	 *
 	 * @return void
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 */
 	public function delete() {
 
+		if (!\OC\Files\Filesystem::isDeletable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
 		\OC\Files\Filesystem::unlink($this->path);
 
 	}
diff --git a/lib/connector/sabre/locks.php b/lib/connector/sabre/locks.php
index e58e584fb41..69496c15ada 100644
--- a/lib/connector/sabre/locks.php
+++ b/lib/connector/sabre/locks.php
@@ -45,7 +45,12 @@ class OC_Connector_Sabre_Locks extends Sabre_DAV_Locks_Backend_Abstract {
 		// but otherwise reading locks from SQLite Databases will return
 		// nothing
 		$query = 'SELECT * FROM `*PREFIX*locks`'
-			.' WHERE `userid` = ? AND (`created` + `timeout`) > '.time().' AND (( `uri` = ?)';
+			   .' WHERE `userid` = ? AND (`created` + `timeout`) > '.time().' AND (( `uri` = ?)';
+		if (OC_Config::getValue( "dbtype") === 'oci') {
+			//FIXME oracle hack: need to explicitly cast CLOB to CHAR for comparison
+			$query = 'SELECT * FROM `*PREFIX*locks`'
+				   .' WHERE `userid` = ? AND (`created` + `timeout`) > '.time().' AND (( to_char(`uri`) = ?)';
+		}
 		$params = array(OC_User::getUser(), $uri);
 
 		// We need to check locks for every part in the uri.
@@ -60,23 +65,31 @@ class OC_Connector_Sabre_Locks extends Sabre_DAV_Locks_Backend_Abstract {
 
 			if ($currentPath) $currentPath.='/';
 			$currentPath.=$part;
-
-			$query.=' OR (`depth` != 0 AND `uri` = ?)';
+			//FIXME oracle hack: need to explicitly cast CLOB to CHAR for comparison
+			if (OC_Config::getValue( "dbtype") === 'oci') {
+				$query.=' OR (`depth` != 0 AND to_char(`uri`) = ?)';
+			} else {
+				$query.=' OR (`depth` != 0 AND `uri` = ?)';
+			}
 			$params[] = $currentPath;
 
 		}
 
 		if ($returnChildLocks) {
 
-			$query.=' OR (`uri` LIKE ?)';
+			//FIXME oracle hack: need to explicitly cast CLOB to CHAR for comparison
+			if (OC_Config::getValue( "dbtype") === 'oci') {
+				$query.=' OR (to_char(`uri`) LIKE ?)';
+			} else {
+				$query.=' OR (`uri` LIKE ?)';
+			}
 			$params[] = $uri . '/%';
 
 		}
 		$query.=')';
 
-		$stmt = OC_DB::prepare( $query );
-		$result = $stmt->execute( $params );
-
+		$result = OC_DB::executeAudited( $query, $params );
+		
 		$lockList = array();
 		while( $row = $result->fetchRow()) {
 
@@ -113,14 +126,17 @@ class OC_Connector_Sabre_Locks extends Sabre_DAV_Locks_Backend_Abstract {
 		$locks = $this->getLocks($uri, false);
 		$exists = false;
 		foreach($locks as $lock) {
-			if ($lock->token == $lockInfo->token) $exists = true;
+			if ($lock->token == $lockInfo->token) {
+				$exists = true;
+				break;
+			}
 		}
 
 		if ($exists) {
-			$query = OC_DB::prepare( 'UPDATE `*PREFIX*locks`'
-				.' SET `owner` = ?, `timeout` = ?, `scope` = ?, `depth` = ?, `uri` = ?, `created` = ?'
-				.' WHERE `userid` = ? AND `token` = ?' );
-			$result = $query->execute( array(
+			$sql = 'UPDATE `*PREFIX*locks`'
+				 .' SET `owner` = ?, `timeout` = ?, `scope` = ?, `depth` = ?, `uri` = ?, `created` = ?'
+				 .' WHERE `userid` = ? AND `token` = ?';
+			$result = OC_DB::executeAudited( $sql, array(
 				$lockInfo->owner,
 				$lockInfo->timeout,
 				$lockInfo->scope,
@@ -131,10 +147,10 @@ class OC_Connector_Sabre_Locks extends Sabre_DAV_Locks_Backend_Abstract {
 				$lockInfo->token)
 			);
 		} else {
-			$query = OC_DB::prepare( 'INSERT INTO `*PREFIX*locks`'
-				.' (`userid`,`owner`,`timeout`,`scope`,`depth`,`uri`,`created`,`token`)'
-				.' VALUES (?,?,?,?,?,?,?,?)' );
-			$result = $query->execute( array(
+			$sql = 'INSERT INTO `*PREFIX*locks`'
+				 .' (`userid`,`owner`,`timeout`,`scope`,`depth`,`uri`,`created`,`token`)'
+				 .' VALUES (?,?,?,?,?,?,?,?)';
+			$result = OC_DB::executeAudited( $sql, array(
 				OC_User::getUser(),
 				$lockInfo->owner,
 				$lockInfo->timeout,
@@ -159,10 +175,14 @@ class OC_Connector_Sabre_Locks extends Sabre_DAV_Locks_Backend_Abstract {
 	 */
 	public function unlock($uri, Sabre_DAV_Locks_LockInfo $lockInfo) {
 
-		$query = OC_DB::prepare( 'DELETE FROM `*PREFIX*locks` WHERE `userid` = ? AND `uri` = ? AND `token` = ?' );
-		$result = $query->execute( array(OC_User::getUser(), $uri, $lockInfo->token));
+		$sql = 'DELETE FROM `*PREFIX*locks` WHERE `userid` = ? AND `uri` = ? AND `token` = ?';
+		if (OC_Config::getValue( "dbtype") === 'oci') {
+			//FIXME oracle hack: need to explicitly cast CLOB to CHAR for comparison
+			$sql = 'DELETE FROM `*PREFIX*locks` WHERE `userid` = ? AND to_char(`uri`) = ? AND `token` = ?';
+		}
+		$result = OC_DB::executeAudited( $sql, array(OC_User::getUser(), $uri, $lockInfo->token));
 
-		return $result->numRows() === 1;
+		return $result === 1;
 
 	}
 
diff --git a/lib/connector/sabre/maintenanceplugin.php b/lib/connector/sabre/maintenanceplugin.php
index 329fa4443ad..2eda269afc2 100644
--- a/lib/connector/sabre/maintenanceplugin.php
+++ b/lib/connector/sabre/maintenanceplugin.php
@@ -50,6 +50,9 @@ class OC_Connector_Sabre_MaintenancePlugin extends Sabre_DAV_ServerPlugin
 		if (OC_Config::getValue('maintenance', false)) {
 			throw new Sabre_DAV_Exception_ServiceUnavailable();
 		}
+		if (OC::checkUpgrade(false)) {
+			throw new Sabre_DAV_Exception_ServiceUnavailable('Upgrade needed');
+		}
 
 		return true;
 	}
diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 1ffa048d6b2..0bffa58af78 100644
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -189,8 +189,8 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 */
 	public function getProperties($properties) {
 		if (is_null($this->property_cache)) {
-			$query = OC_DB::prepare( 'SELECT * FROM `*PREFIX*properties` WHERE `userid` = ? AND `propertypath` = ?' );
-			$result = $query->execute( array( OC_User::getUser(), $this->path ));
+			$sql = 'SELECT * FROM `*PREFIX*properties` WHERE `userid` = ? AND `propertypath` = ?';
+			$result = OC_DB::executeAudited( $sql, array( OC_User::getUser(), $this->path ) );
 
 			$this->property_cache = array();
 			while( $row = $result->fetchRow()) {