diff options
Diffstat (limited to 'lib')
| -rwxr-xr-x | lib/app.php | 7 | ||||
| -rw-r--r-- | lib/archive/tar.php | 4 | ||||
| -rw-r--r-- | lib/archive/zip.php | 2 | ||||
| -rw-r--r-- | lib/base.php | 11 | ||||
| -rw-r--r-- | lib/config.php | 6 | ||||
| -rw-r--r-- | lib/connector/sabre/file.php | 4 | ||||
| -rw-r--r-- | lib/connector/sabre/node.php | 24 | ||||
| -rw-r--r-- | lib/fileproxy.php | 33 | ||||
| -rw-r--r-- | lib/filesystem.php | 27 | ||||
| -rw-r--r-- | lib/filesystemview.php | 58 | ||||
| -rw-r--r-- | lib/helper.php | 74 | ||||
| -rw-r--r-- | lib/image.php | 4 | ||||
| -rw-r--r-- | lib/installer.php | 2 | ||||
| -rw-r--r-- | lib/json.php | 12 | ||||
| -rw-r--r-- | lib/ocsclient.php | 18 | ||||
| -rw-r--r-- | lib/public/json.php | 7 | ||||
| -rw-r--r-- | lib/public/util.php | 34 | ||||
| -rw-r--r-- | lib/setup.php | 4 | ||||
| -rw-r--r-- | lib/template.php | 55 | ||||
| -rw-r--r-- | lib/updater.php | 17 | ||||
| -rw-r--r-- | lib/user/database.php | 8 | ||||
| -rwxr-xr-x[-rw-r--r--] | lib/util.php | 87 | ||||
| -rw-r--r-- | lib/vcategories.php | 8 |
23 files changed, 359 insertions, 147 deletions
diff --git a/lib/app.php b/lib/app.php index ca7a022f893..1dcccee1da0 100755 --- a/lib/app.php +++ b/lib/app.php @@ -67,6 +67,11 @@ class OC_App{ OC_Util::$scripts = array(); OC_Util::$core_styles = OC_Util::$styles; OC_Util::$styles = array(); + + if (!OC_AppConfig::getValue('core', 'remote_core.css', false)) { + OC_AppConfig::setValue('core', 'remote_core.css', '/core/minimizer.php'); + OC_AppConfig::setValue('core', 'remote_core.js', '/core/minimizer.php'); + } } } // return @@ -510,7 +515,7 @@ class OC_App{ foreach(OC::$APPSROOTS as $apps_dir) { $dh=opendir($apps_dir['path']); while($file=readdir($dh)){ - if(substr($file,0,1)!='.' and is_file($apps_dir['path'].'/'.$file.'/appinfo/app.php')){ + if($file[0]!='.' and is_file($apps_dir['path'].'/'.$file.'/appinfo/app.php')){ $apps[]=$file; } } diff --git a/lib/archive/tar.php b/lib/archive/tar.php index 4ff78779834..944a0ac4ba4 100644 --- a/lib/archive/tar.php +++ b/lib/archive/tar.php @@ -150,7 +150,7 @@ class OC_Archive_TAR extends OC_Archive{ $folderContent=array(); $pathLength=strlen($path); foreach($files as $file){ - if(substr($file,0,1)=='/'){ + if($file[0]=='/'){ $file=substr($file,1); } if(substr($file,0,$pathLength)==$path and $file!=$path){ @@ -241,7 +241,7 @@ class OC_Archive_TAR extends OC_Archive{ } } } - if(substr($path,0,1)!='/'){//not all programs agree on the use of a leading / + if($path[0]!='/'){//not all programs agree on the use of a leading / return $this->fileExists('/'.$path); }else{ return false; diff --git a/lib/archive/zip.php b/lib/archive/zip.php index 22ab48937eb..6631a649b16 100644 --- a/lib/archive/zip.php +++ b/lib/archive/zip.php @@ -191,7 +191,7 @@ class OC_Archive_ZIP extends OC_Archive{ } private function stripPath($path){ - if(substr($path,0,1)=='/'){ + if(!$path || $path[0]=='/'){ return substr($path,1); }else{ return $path; diff --git a/lib/base.php b/lib/base.php index ca4052e5a18..a0f5e83dd47 100644 --- a/lib/base.php +++ b/lib/base.php @@ -120,7 +120,7 @@ class OC{ // calculate the documentroot $DOCUMENTROOT=realpath($_SERVER['DOCUMENT_ROOT']); OC::$SERVERROOT=str_replace("\\",'/',substr(__FILE__,0,-13)); - OC::$SUBURI=substr(realpath($_SERVER["SCRIPT_FILENAME"]),strlen(OC::$SERVERROOT)); + OC::$SUBURI= str_replace("\\","/",substr(realpath($_SERVER["SCRIPT_FILENAME"]),strlen(OC::$SERVERROOT))); $scriptName=$_SERVER["SCRIPT_NAME"]; if(substr($scriptName,-1)=='/'){ $scriptName.='index.php'; @@ -428,15 +428,8 @@ class OC{ //make sure temporary files are cleaned up register_shutdown_function(array('OC_Helper','cleanTmp')); - if (OC_Config::getValue('installed', false)) { - if (!OC_AppConfig::getValue('core', 'remote_core.css', false)) { - OC_AppConfig::setValue('core', 'remote_core.css', '/core/minimizer.php'); - OC_AppConfig::setValue('core', 'remote_core.js', '/core/minimizer.php'); - } - } - //parse the given parameters - self::$REQUESTEDAPP = (isset($_GET['app'])?str_replace(array('\0', '/', '\\', '..'), '', strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files')); + self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?str_replace(array('\0', '/', '\\', '..'), '', strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files')); if(substr_count(self::$REQUESTEDAPP, '?') != 0){ $app = substr(self::$REQUESTEDAPP, 0, strpos(self::$REQUESTEDAPP, '?')); $param = substr(self::$REQUESTEDAPP, strpos(self::$REQUESTEDAPP, '?') + 1); diff --git a/lib/config.php b/lib/config.php index e3a9c11f247..9279549b1bb 100644 --- a/lib/config.php +++ b/lib/config.php @@ -170,14 +170,18 @@ class OC_Config{ } $content .= ");\n?>\n"; + $filename = OC::$SERVERROOT."/config/config.php"; // Write the file - $result=@file_put_contents( OC::$SERVERROOT."/config/config.php", $content ); + $result=@file_put_contents( $filename, $content ); if(!$result) { $tmpl = new OC_Template( '', 'error', 'guest' ); $tmpl->assign('errors',array(1=>array('error'=>"Can't write into config directory 'config'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"))); $tmpl->printPage(); exit; } + // Prevent others not to read the config + @chmod($filename, 0640); + return true; } } diff --git a/lib/connector/sabre/file.php b/lib/connector/sabre/file.php index f2efe0a5ac1..3ba1b3355f2 100644 --- a/lib/connector/sabre/file.php +++ b/lib/connector/sabre/file.php @@ -63,8 +63,8 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D * @return int */ public function getSize() { - - return OC_Filesystem::filesize($this->path); + $this->stat(); + return $this->stat_cache['size']; } diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php index a7d1de8b953..e7bcea3171d 100644 --- a/lib/connector/sabre/node.php +++ b/lib/connector/sabre/node.php @@ -29,6 +29,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr * @var string */ protected $path; + /** + * file stat cache + * @var array + */ + protected $stat_cache; /** * Sets up the node, expects a full path name @@ -77,7 +82,14 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr } - + /** + * Set the stat cache + */ + protected function stat() { + if (!isset($this->stat_cache)) { + $this->stat_cache = OC_Filesystem::stat($this->path); + } + } /** * Returns the last modification time, as a unix timestamp @@ -85,8 +97,8 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr * @return int */ public function getLastModified() { - - return OC_Filesystem::filemtime($this->path); + $this->stat(); + return $this->stat_cache['mtime']; } @@ -137,7 +149,9 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr /** * Returns a list of properties for this nodes.; * - * The properties list is a list of propertynames the client requested, encoded as xmlnamespace#tagName, for example: http://www.example.org/namespace#author + * The properties list is a list of propertynames the client requested, + * encoded as xmlnamespace#tagName, for example: + * http://www.example.org/namespace#author * If the array is empty, all properties should be returned * * @param array $properties @@ -153,11 +167,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr $existing[$row['propertyname']] = $row['propertyvalue']; } + // if the array was empty, we need to return everything if(count($properties) == 0){ return $existing; } - // if the array was empty, we need to return everything $props = array(); foreach($properties as $property) { if (isset($existing[$property])) $props[$property] = $existing[$property]; diff --git a/lib/fileproxy.php b/lib/fileproxy.php index 70db9cca23c..82c9298788c 100644 --- a/lib/fileproxy.php +++ b/lib/fileproxy.php @@ -27,14 +27,17 @@ * Manipulation happens by using 2 kind of proxy operations, pre and post proxies * that manipulate the filesystem call and the result of the call respectively * - * A pre-proxy recieves the filepath as arugments (or 2 filespaths in case of operations like copy or move) and return a boolean - * If a pre-proxy returnes false the file operation will be canceled + * A pre-proxy recieves the filepath as arugments (or 2 filespaths in case of + * operations like copy or move) and return a boolean + * If a pre-proxy returns false the file operation will be canceled * All filesystem operations have a pre-proxy * * A post-proxy recieves 2 arguments, the filepath and the result of the operation. - * The return calue of the post-proxy will be used as the new result of the operation - * The operations that have a post-proxy are - * file_get_contents, is_file, is_dir, file_exists, stat, is_readable, is_writable, fileatime, filemtime, filectime, file_get_contents, getMimeType, hash, fopen, free_space and search + * The return value of the post-proxy will be used as the new result of the operation + * The operations that have a post-proxy are: + * file_get_contents, is_file, is_dir, file_exists, stat, is_readable, + * is_writable, fileatime, filemtime, filectime, file_get_contents, + * getMimeType, hash, fopen, free_space and search */ class OC_FileProxy{ @@ -42,16 +45,7 @@ class OC_FileProxy{ public static $enabled=true; /** - * check if this proxy implments a specific proxy operation - * @param string #proxy name of the proxy operation - * @return bool - */ - public function provides($operation){ - return method_exists($this,$operation); - } - - /** - * fallback function when a proxy operation is not implement + * fallback function when a proxy operation is not implemented * @param string $function the name of the proxy operation * @param mixed * @@ -73,11 +67,10 @@ class OC_FileProxy{ self::$proxies[]=$proxy; } - public static function getProxies($operation,$post){ - $operation=(($post)?'post':'pre').$operation; + public static function getProxies($operation){ $proxies=array(); foreach(self::$proxies as $proxy){ - if($proxy->provides($operation)){ + if(method_exists($proxy,$operation)){ $proxies[]=$proxy; } } @@ -88,8 +81,8 @@ class OC_FileProxy{ if(!self::$enabled){ return true; } - $proxies=self::getProxies($operation,false); $operation='pre'.$operation; + $proxies=self::getProxies($operation); foreach($proxies as $proxy){ if(!is_null($filepath2)){ if($proxy->$operation($filepath,$filepath2)===false){ @@ -108,8 +101,8 @@ class OC_FileProxy{ if(!self::$enabled){ return $result; } - $proxies=self::getProxies($operation,true); $operation='post'.$operation; + $proxies=self::getProxies($operation); foreach($proxies as $proxy){ $result=$proxy->$operation($path,$result); } diff --git a/lib/filesystem.php b/lib/filesystem.php index 84d45f5f24b..28bd7d52900 100644 --- a/lib/filesystem.php +++ b/lib/filesystem.php @@ -150,7 +150,7 @@ class OC_Filesystem{ if(!$path){ $path='/'; } - if(substr($path,0,1)!=='/'){ + if($path[0]!=='/'){ $path='/'.$path; } $foundMountPoint=''; @@ -281,7 +281,7 @@ class OC_Filesystem{ } /** - * change the root to a fake toor + * change the root to a fake root * @param string fakeRoot * @return bool */ @@ -313,11 +313,14 @@ class OC_Filesystem{ * @param string mountpoint */ static public function mount($class,$arguments,$mountpoint){ + if($mountpoint[0]!='/'){ + $mountpoint='/'.$mountpoint; + } if(substr($mountpoint,-1)!=='/'){ $mountpoint=$mountpoint.'/'; } - if(substr($mountpoint,0,1)!=='/'){ - $mountpoint='/'.$mountpoint; + if (self::getView() != null && $mountpoint != '/' && !self::is_dir(basename($mountpoint))) { + self::mkdir(basename($mountpoint)); } self::$mounts[$mountpoint]=array('class'=>$class,'arguments'=>$arguments); } @@ -344,12 +347,26 @@ class OC_Filesystem{ } /** + * return path to file which reflects one visible in browser + * @param string path + * @return string + */ + static public function getLocalPath($path) { + $datadir = \OCP\Config::getSystemValue('datadirectory').'/'.\OC_User::getUser().'/files'; + $newpath = $path; + if (strncmp($newpath, $datadir, strlen($datadir)) == 0) { + $newpath = substr($path, strlen($datadir)); + } + return $newpath; + } + + /** * check if the requested path is valid * @param string path * @return bool */ static public function isValidPath($path){ - if(substr($path,0,1)!=='/'){ + if(!$path || $path[0]!=='/'){ $path='/'.$path; } if(strstr($path,'/../') || strrchr($path, '/') === '/..' ){ diff --git a/lib/filesystemview.php b/lib/filesystemview.php index c8df59cf827..58657671b98 100644 --- a/lib/filesystemview.php +++ b/lib/filesystemview.php @@ -40,6 +40,8 @@ class OC_FilesystemView { private $fakeRoot=''; + private $internal_path_cache=array(); + private $storage_cache=array(); public function __construct($root){ $this->fakeRoot=$root; @@ -49,7 +51,7 @@ class OC_FilesystemView { if(!$path){ $path='/'; } - if(substr($path,0,1)!=='/'){ + if($path[0]!=='/'){ $path='/'.$path; } return $this->fakeRoot.$path; @@ -84,15 +86,38 @@ class OC_FilesystemView { * @return bool */ public function getInternalPath($path){ - return OC_Filesystem::getInternalPath($this->getAbsolutePath($path)); + if (!isset($this->internal_path_cache[$path])) { + $this->internal_path_cache[$path] = OC_Filesystem::getInternalPath($this->getAbsolutePath($path)); + } + return $this->internal_path_cache[$path]; + } + + /** + * get path relative to the root of the view + * @param string path + * @return string + */ + public function getRelativePath($path){ + if($this->fakeRoot==''){ + return $path; + } + if(strpos($path,$this->fakeRoot)!==0){ + return null; + }else{ + return substr($path,strlen($this->fakeRoot)); + } } + /** * get the storage object for a path * @param string path * @return OC_Filestorage */ public function getStorage($path){ - return OC_Filesystem::getStorage($this->getAbsolutePath($path)); + if (!isset($this->storage_cache[$path])) { + $this->storage_cache[$path] = OC_Filesystem::getStorage($this->getAbsolutePath($path)); + } + return $this->storage_cache[$path]; } /** @@ -224,7 +249,14 @@ class OC_FilesystemView { return $this->basicOperation('unlink',$path,array('delete')); } public function rename($path1,$path2){ - if(OC_FileProxy::runPreProxies('rename',$path1,$path2) and OC_Filesystem::isValidPath($path2)){ + $absolutePath1=$this->getAbsolutePath($path1); + $absolutePath2=$this->getAbsolutePath($path2); + if(OC_FileProxy::runPreProxies('rename',$absolutePath1,$absolutePath2) and OC_Filesystem::isValidPath($path2)){ + $path1=$this->getRelativePath($absolutePath1); + $path2=$this->getRelativePath($absolutePath2); + if($path1==null or $path2==null){ + return false; + } $run=true; OC_Hook::emit( OC_Filesystem::CLASSNAME, OC_Filesystem::signal_rename, array( OC_Filesystem::signal_param_oldpath => $path1 , OC_Filesystem::signal_param_newpath=>$path2, OC_Filesystem::signal_param_run => &$run)); if($run){ @@ -248,7 +280,14 @@ class OC_FilesystemView { } } public function copy($path1,$path2){ - if(OC_FileProxy::runPreProxies('copy',$path1,$path2) and $this->is_readable($path1) and OC_Filesystem::isValidPath($path2)){ + $absolutePath1=$this->getAbsolutePath($path1); + $absolutePath2=$this->getAbsolutePath($path2); + if(OC_FileProxy::runPreProxies('copy',$absolutePath1,$absolutePath2) and OC_Filesystem::isValidPath($path2)){ + $path1=$this->getRelativePath($absolutePath1); + $path2=$this->getRelativePath($absolutePath2); + if($path1==null or $path2==null){ + return false; + } $run=true; OC_Hook::emit( OC_Filesystem::CLASSNAME, OC_Filesystem::signal_copy, array( OC_Filesystem::signal_param_oldpath => $path1 , OC_Filesystem::signal_param_newpath=>$path2, OC_Filesystem::signal_param_run => &$run)); $exists=$this->file_exists($path2); @@ -367,7 +406,12 @@ class OC_FilesystemView { * OC_Filestorage for delegation to a storage backend for execution */ private function basicOperation($operation,$path,$hooks=array(),$extraParam=null){ - if(OC_FileProxy::runPreProxies($operation,$path, $extraParam) and OC_Filesystem::isValidPath($path)){ + $absolutePath=$this->getAbsolutePath($path); + if(OC_FileProxy::runPreProxies($operation,$absolutePath, $extraParam) and OC_Filesystem::isValidPath($path)){ + $path=$this->getRelativePath($absolutePath); + if($path==null){ + return false; + } $internalPath=$this->getInternalPath($path); $run=true; if(OC_Filesystem::$loaded and $this->fakeRoot==OC_Filesystem::getRoot()){ @@ -385,7 +429,7 @@ class OC_FilesystemView { }else{ $result=$storage->$operation($internalPath); } - $result=OC_FileProxy::runPostProxies($operation,$path,$result); + $result=OC_FileProxy::runPostProxies($operation,$this->getAbsolutePath($path),$result); if(OC_Filesystem::$loaded and $this->fakeRoot==OC_Filesystem::getRoot()){ if($operation!='fopen'){//no post hooks for fopen, the file stream is still open foreach($hooks as $hook){ diff --git a/lib/helper.php b/lib/helper.php index 3cf5107eea9..73d4b659a34 100644 --- a/lib/helper.php +++ b/lib/helper.php @@ -90,12 +90,12 @@ class OC_Helper { } - /** - * @brief Returns the server protocol - * @returns the server protocol - * - * Returns the server protocol. It respects reverse proxy servers and load balancers - */ + /** + * @brief Returns the server protocol + * @returns the server protocol + * + * Returns the server protocol. It respects reverse proxy servers and load balancers + */ public static function serverProtocol() { if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { $proto = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']); @@ -132,7 +132,7 @@ class OC_Helper { * Returns a absolute url to the given service. */ public static function linkToRemote( $service, $add_slash = true ) { - return self::linkToAbsolute( '', 'remote.php') . '/' . $service . ($add_slash?'/':''); + return self::linkToAbsolute( '', 'remote.php') . '/' . $service . (($add_slash && $service[strlen($service)-1]!='/')?'/':''); } /** @@ -143,7 +143,7 @@ class OC_Helper { * * Returns the path to the image. */ - public static function imagePath( $app, $image ){ + public static function imagePath( $app, $image ){ // Read the selected theme from the config file $theme=OC_Config::getValue( "theme" ); @@ -551,35 +551,35 @@ class OC_Helper { } } - /** - * Adds a suffix to the name in case the file exists - * - * @param $path - * @param $filename - * @return string - */ - public static function buildNotExistingFileName($path, $filename){ - if($path==='/'){ - $path=''; - } - if ($pos = strrpos($filename, '.')) { - $name = substr($filename, 0, $pos); - $ext = substr($filename, $pos); - } else { - $name = $filename; - } - - $newpath = $path . '/' . $filename; - $newname = $filename; - $counter = 2; - while (OC_Filesystem::file_exists($newpath)) { - $newname = $name . ' (' . $counter . ')' . $ext; - $newpath = $path . '/' . $newname; - $counter++; - } - - return $newpath; - } + /** + * Adds a suffix to the name in case the file exists + * + * @param $path + * @param $filename + * @return string + */ + public static function buildNotExistingFileName($path, $filename){ + if($path==='/'){ + $path=''; + } + if ($pos = strrpos($filename, '.')) { + $name = substr($filename, 0, $pos); + $ext = substr($filename, $pos); + } else { + $name = $filename; + } + + $newpath = $path . '/' . $filename; + $newname = $filename; + $counter = 2; + while (OC_Filesystem::file_exists($newpath)) { + $newname = $name . ' (' . $counter . ')' . $ext; + $newpath = $path . '/' . $newname; + $counter++; + } + + return $newpath; + } /* * checks if $sub is a subdirectory of $parent diff --git a/lib/image.php b/lib/image.php index af61f9424e9..e5c59bacdc5 100644 --- a/lib/image.php +++ b/lib/image.php @@ -407,7 +407,9 @@ class OC_Image { break; */ default: - $this->resource = imagecreatefromstring(file_get_contents($imagepath)); + + // this is mostly file created from encrypted file + $this->resource = imagecreatefromstring(\OC_Filesystem::file_get_contents(\OC_Filesystem::getLocalPath($imagepath))); $itype = IMAGETYPE_PNG; OC_Log::write('core','OC_Image->loadFromFile, Default', OC_Log::DEBUG); break; diff --git a/lib/installer.php b/lib/installer.php index 299674b29e4..c0903f93d51 100644 --- a/lib/installer.php +++ b/lib/installer.php @@ -110,7 +110,7 @@ class OC_Installer{ //try to find it in a subdir $dh=opendir($extractDir); while($folder=readdir($dh)){ - if(substr($folder,0,1)!='.' and is_dir($extractDir.'/'.$folder)){ + if($folder[0]!='.' and is_dir($extractDir.'/'.$folder)){ if(is_file($extractDir.'/'.$folder.'/appinfo/info.xml')){ $extractDir.='/'.$folder; } diff --git a/lib/json.php b/lib/json.php index f3bbe9ac899..dfc0a7b894e 100644 --- a/lib/json.php +++ b/lib/json.php @@ -42,6 +42,18 @@ class OC_JSON{ } /** + * @brief Check an ajax get/post call if the request token is valid. + * @return json Error msg if not valid. + */ + public static function callCheck(){ + if( !OC_Util::isCallRegistered()){ + $l = OC_L10N::get('core'); + self::error(array( 'data' => array( 'message' => $l->t('Token expired. Please reload page.') ))); + exit(); + } + } + + /** * Check if the user is a admin, send json error msg if not */ public static function checkAdminUser(){ diff --git a/lib/ocsclient.php b/lib/ocsclient.php index 33308553be0..2888569ad13 100644 --- a/lib/ocsclient.php +++ b/lib/ocsclient.php @@ -35,12 +35,7 @@ class OC_OCSClient{ * This function returns the url of the OCS AppStore server. It´s possible to set it in the config file or it will fallback to the default */ private static function getAppStoreURL(){ - $configurl=OC_Config::getValue('appstoreurl', ''); - if($configurl<>'') { - $url=$configurl; - }else{ - $url='http://api.apps.owncloud.com/v1'; - } + $url = OC_Config::getValue('appstoreurl', 'http://api.apps.owncloud.com/v1'); return($url); } @@ -50,12 +45,7 @@ class OC_OCSClient{ * This function returns the url of the OCS knowledge base server. It´s possible to set it in the config file or it will fallback to the default */ private static function getKBURL(){ - $configurl=OC_Config::getValue('knowledgebaseurl', ''); - if($configurl<>'') { - $url=$configurl; - }else{ - $url='http://api.apps.owncloud.com/v1'; - } + $url = OC_Config::getValue('knowledgebaseurl', 'http://api.apps.owncloud.com/v1'); return($url); } @@ -95,7 +85,7 @@ class OC_OCSClient{ * * This function returns a list of all the applications on the OCS server */ - public static function getApplications($categories){ + public static function getApplications($categories,$page){ if(OC_Config::getValue('appstoreenabled', true)==false){ return(array()); } @@ -105,7 +95,7 @@ class OC_OCSClient{ }else{ $categoriesstring=$categories; } - $url=OC_OCSClient::getAppStoreURL().'/content/data?categories='.urlencode($categoriesstring).'&sortmode=new&page=0&pagesize=10'; + $url=OC_OCSClient::getAppStoreURL().'/content/data?categories='.urlencode($categoriesstring).'&sortmode=new&page='.urlencode($page).'&pagesize=100'; $apps=array(); $xml=@file_get_contents($url); if($xml==FALSE){ diff --git a/lib/public/json.php b/lib/public/json.php index a8554671d10..b6edbd65bd5 100644 --- a/lib/public/json.php +++ b/lib/public/json.php @@ -53,6 +53,13 @@ class JSON { return(\OC_JSON::checkLoggedIn()); } + /** + * @brief Check an ajax get/post call if the request token is valid. + * @return json Error msg if not valid. + */ + public static function callCheck(){ + return(\OC_JSON::callCheck()); + } /** * @brief Send json success msg diff --git a/lib/public/util.php b/lib/public/util.php index 9b499574da1..d79d3f26b1e 100644 --- a/lib/public/util.php +++ b/lib/public/util.php @@ -145,15 +145,15 @@ class Util { } - /** - * @brief Creates an url - * @param $app app - * @param $file file - * @returns the url - * - * Returns a url to the given app and file. - */ - public static function linkTo( $app, $file ){ + /** + * @brief Creates an url + * @param $app app + * @param $file file + * @returns the url + * + * Returns a url to the given app and file. + */ + public static function linkTo( $app, $file ){ return(\OC_Helper::linkTo( $app, $file )); } @@ -248,6 +248,22 @@ class Util { } + /** + * Register an get/post call. This is important to prevent CSRF attacks + * TODO: write example + */ + public static function callRegister(){ + return(\OC_Util::callRegister()); + } + + + /** + * Check an ajax get/post call if the request token is valid. exit if not. + * Todo: Write howto + */ + public static function callCheck(){ + return(\OC_Util::callCheck()); + } } ?> diff --git a/lib/setup.php b/lib/setup.php index a096fdbb4cf..5f1fb1525ec 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -73,6 +73,10 @@ class OC_Setup { $dbtype='sqlite3'; } + //generate a random salt that is used to salt the local user passwords + $salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); + OC_Config::setValue('passwordsalt', $salt); + //write the config file OC_Config::setValue('datadirectory', $datadir); OC_Config::setValue('dbtype', $dbtype); diff --git a/lib/template.php b/lib/template.php index b99d492a536..149859aa8a5 100644 --- a/lib/template.php +++ b/lib/template.php @@ -155,6 +155,9 @@ class OC_Template{ $this->renderas = $renderas; $this->application = $app; $this->vars = array(); + if($renderas == 'user') { + $this->vars['requesttoken'] = OC_Util::callRegister(); + } $this->l10n = OC_L10N::get($app); header('X-Frame-Options: Sameorigin'); header('X-XSS-Protection: 1; mode=block'); @@ -259,6 +262,7 @@ class OC_Template{ * @brief Assign variables * @param $key key * @param $value value + * @param $sanitizeHTML false, if data shouldn't get passed through htmlentities * @returns true * * This function assigns a variable. It can be accessed via $_[$key] in @@ -266,11 +270,29 @@ class OC_Template{ * * If the key existed before, it will be overwritten */ - public function assign( $key, $value ){ + public function assign( $key, $value, $sanitizeHTML=true ){ + if($sanitizeHTML == true) { + if(is_array($value)) { + array_walk_recursive($value,'OC_Template::sanitizeHTML'); + } else { + $value = OC_Template::sanitizeHTML($value); + } + } $this->vars[$key] = $value; return true; } + + /** + * @brief Internaly used to sanitze HTML + * + * This function is internally used to sanitize HTML. + */ + private static function sanitizeHTML( &$value ){ + $value = htmlentities( $value ); + return $value; + } + /** * @brief Appends a variable * @param $key key @@ -363,20 +385,21 @@ class OC_Template{ // Decide which page we show if( $this->renderas == "user" ){ $page = new OC_Template( "core", "layout.user" ); - $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' )); + $page->assign('searchurl',OC_Helper::linkTo( 'search', 'index.php' ), false); + $page->assign('requesttoken', $this->vars['requesttoken']); if(array_search(OC_APP::getCurrentApp(),array('settings','admin','help'))!==false){ - $page->assign('bodyid','body-settings'); + $page->assign('bodyid','body-settings', false); }else{ - $page->assign('bodyid','body-user'); + $page->assign('bodyid','body-user', false); } // Add navigation entry $navigation = OC_App::getNavigation(); - $page->assign( "navigation", $navigation); - $page->assign( "settingsnavigation", OC_App::getSettingsNavigation()); + $page->assign( "navigation", $navigation, false); + $page->assign( "settingsnavigation", OC_App::getSettingsNavigation(), false); foreach($navigation as $entry) { if ($entry['active']) { - $page->assign( 'application', $entry['name'] ); + $page->assign( 'application', $entry['name'], false ); break; } } @@ -387,7 +410,7 @@ class OC_Template{ foreach(OC_App::getEnabledApps() as $app){ $apps_paths[$app] = OC_App::getAppWebPath($app); } - $page->assign( 'apps_paths', str_replace('\\/', '/',json_encode($apps_paths)) ); // Ugly unescape slashes waiting for better solution + $page->assign( 'apps_paths', str_replace('\\/', '/',json_encode($apps_paths)) , false); // Ugly unescape slashes waiting for better solution // Read the selected theme from the config file $theme=OC_Config::getValue( "theme" ); @@ -395,7 +418,7 @@ class OC_Template{ // Read the detected formfactor and use the right file name. $fext = self::getFormFactorExtension(); - $page->assign('jsfiles', array()); + $page->assign('jsfiles', array(), false); // Add the core js files or the js files provided by the selected theme foreach(OC_Util::$scripts as $script){ // Is it in 3rd party? @@ -479,13 +502,13 @@ class OC_Template{ } // Add custom headers - $page->assign('headers',$this->headers); + $page->assign('headers',$this->headers, false); foreach(OC_Util::$headers as $header){ $page->append('headers',$header); } // Add css files and js files - $page->assign( "content", $data ); + $page->assign( "content", $data, false ); return $page->fetchPage(); } else{ @@ -530,13 +553,13 @@ class OC_Template{ $_ = array_merge( $additionalparams, $this->vars ); } - // Einbinden + // Include ob_start(); include( $this->path.$file.'.php' ); $data = ob_get_contents(); @ob_end_clean(); - // Daten zurückgeben + // Return data return $data; } @@ -550,7 +573,7 @@ class OC_Template{ public static function printUserPage( $application, $name, $parameters = array() ){ $content = new OC_Template( $application, $name, "user" ); foreach( $parameters as $key => $value ){ - $content->assign( $key, $value ); + $content->assign( $key, $value, false ); } print $content->printPage(); } @@ -565,7 +588,7 @@ class OC_Template{ public static function printAdminPage( $application, $name, $parameters = array() ){ $content = new OC_Template( $application, $name, "admin" ); foreach( $parameters as $key => $value ){ - $content->assign( $key, $value ); + $content->assign( $key, $value, false ); } return $content->printPage(); } @@ -580,7 +603,7 @@ class OC_Template{ public static function printGuestPage( $application, $name, $parameters = array() ){ $content = new OC_Template( $application, $name, "guest" ); foreach( $parameters as $key => $value ){ - $content->assign( $key, $value ); + $content->assign( $key, $value,false ); } return $content->printPage(); } diff --git a/lib/updater.php b/lib/updater.php index bc5ee00b6a3..5d97178c30e 100644 --- a/lib/updater.php +++ b/lib/updater.php @@ -30,11 +30,12 @@ class OC_Updater{ */ public static function check(){ OC_Appconfig::setValue('core', 'lastupdatedat',microtime(true)); + if(OC_Appconfig::getValue('core', 'installedat','')=='') OC_Appconfig::setValue('core', 'installedat',microtime(true)); $updaterurl='http://apps.owncloud.com/updater.php'; $version=OC_Util::getVersion(); - $version['installed']=OC_Config::getValue('installedat'); - $version['updated']=OC_Appconfig::getValue('core', 'lastupdatedat', OC_Config::getValue( 'lastupdatedat')); + $version['installed']=OC_Appconfig::getValue('core', 'installedat'); + $version['updated']=OC_Appconfig::getValue('core', 'lastupdatedat'); $version['updatechannel']='stable'; $version['edition']=OC_Util::getEditionString(); $versionstring=implode('x',$version); @@ -57,11 +58,15 @@ class OC_Updater{ } public static function ShowUpdatingHint(){ - $data=OC_Updater::check(); - if(isset($data['version']) and $data['version']<>'') { - $txt='<span style="color:#AA0000; font-weight:bold;">'.$data['versionstring'].' is available. Get <a href="'.$data['web'].'">more information</a></span>'; + if(OC_Config::getValue('updatechecker', true)==true){ + $data=OC_Updater::check(); + if(isset($data['version']) and $data['version']<>'') { + $txt='<span style="color:#AA0000; font-weight:bold;">'.$data['versionstring'].' is available. Get <a href="'.$data['web'].'">more information</a></span>'; + }else{ + $txt='up to date'; + } }else{ - $txt='up to date'; + $txt='updates check is disabled'; } return($txt); } diff --git a/lib/user/database.php b/lib/user/database.php index 769ba6a7920..a48b8357d64 100644 --- a/lib/user/database.php +++ b/lib/user/database.php @@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend { return false; }else{ $hasher=$this->getHasher(); - $hash = $hasher->HashPassword($password); + $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', '')); $query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" ); $result = $query->execute( array( $uid, $hash)); @@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend { public function setPassword( $uid, $password ){ if( $this->userExists($uid) ){ $hasher=$this->getHasher(); - $hash = $hasher->HashPassword($password); + $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', '')); $query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" ); $result = $query->execute( array( $hash, $uid )); @@ -129,9 +129,9 @@ class OC_User_Database extends OC_User_Backend { $row=$result->fetchRow(); if($row){ $storedHash=$row['password']; - if (substr($storedHash,0,1)=='$'){//the new phpass based hashing + if ($storedHash[0]=='$'){//the new phpass based hashing $hasher=$this->getHasher(); - if($hasher->CheckPassword($password, $storedHash)){ + if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)){ return $row['uid']; }else{ return false; diff --git a/lib/util.php b/lib/util.php index b344d576ebf..cedbe3fa460 100644..100755 --- a/lib/util.php +++ b/lib/util.php @@ -72,6 +72,15 @@ class OC_Util { $quotaProxy=new OC_FileProxy_Quota(); OC_FileProxy::register($quotaProxy); self::$fsSetup=true; + // Load personal mount config + if (is_file($CONFIG_DATADIRECTORY_ROOT.'/'.$user.'/mount.php')) { + $mountConfig = include($CONFIG_DATADIRECTORY_ROOT.'/'.$user.'/mount.php'); + if (isset($mountConfig['user'][$user])) { + foreach ($mountConfig['user'][$user] as $mountPoint => $options) { + OC_Filesystem::mount($options['class'], $options['options'], $mountPoint); + } + } + } } } @@ -85,7 +94,7 @@ class OC_Util { * @return array */ public static function getVersion(){ - return array(4,80,0); + return array(4,80,1); } /** @@ -325,7 +334,8 @@ class OC_Util { * Redirect to the user default page */ public static function redirectToDefaultPage(){ - if(isset($_REQUEST['redirect_url']) && substr($_REQUEST['redirect_url'], 0, strlen(OC::$WEBROOT)) == OC::$WEBROOT) { + OC_Log::write('core','redirectToDefaultPage',OC_Log::DEBUG); + if(isset($_REQUEST['redirect_url']) && (substr($_REQUEST['redirect_url'], 0, strlen(OC::$WEBROOT)) == OC::$WEBROOT || $_REQUEST['redirect_url'][0] == '/')) { header( 'Location: '.$_REQUEST['redirect_url']); } else { header( 'Location: '.OC::$WEBROOT.'/'.OC_Appconfig::getValue('core', 'defaultpage', '?app=files')); @@ -345,4 +355,77 @@ class OC_Util { } return $id; } + + /** + * @brief Register an get/post call. This is important to prevent CSRF attacks + * Todo: Write howto + * @return $token Generated token. + */ + public static function callRegister(){ + //mamimum time before token exires + $maxtime=(60*60); // 1 hour + + // generate a random token. + $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); + + // store the token together with a timestamp in the session. + $_SESSION['requesttoken-'.$token]=time(); + + // cleanup old tokens garbage collector + // only run every 20th time so we don´t waste cpu cycles + if(rand(0,20)==0) { + foreach($_SESSION as $key=>$value) { + // search all tokens in the session + if(substr($key,0,12)=='requesttoken') { + if($value+$maxtime<time()){ + // remove outdated tokens + unset($_SESSION[$key]); + } + } + } + } + // return the token + return($token); + } + + + /** + * @brief Check an ajax get/post call if the request token is valid. + * @return boolean False if request token is not set or is invalid. + */ + public static function isCallRegistered(){ + //mamimum time before token exires + $maxtime=(60*60); // 1 hour + if(isset($_GET['requesttoken'])) { + $token=$_GET['requesttoken']; + }elseif(isset($_POST['requesttoken'])){ + $token=$_POST['requesttoken']; + }elseif(isset($_SERVER['HTTP_REQUESTTOKEN'])){ + $token=$_SERVER['HTTP_REQUESTTOKEN']; + }else{ + //no token found. + return false; + } + if(isset($_SESSION['requesttoken-'.$token])) { + $timestamp=$_SESSION['requesttoken-'.$token]; + if($timestamp+$maxtime<time()){ + return false; + }else{ + //token valid + return true; + } + }else{ + return false; + } + } + + /** + * @brief Check an ajax get/post call if the request token is valid. exit if not. + * Todo: Write howto + */ + public static function callCheck(){ + if(!OC_Util::isCallRegistered()) { + exit; + } + } } diff --git a/lib/vcategories.php b/lib/vcategories.php index ddcec1b6a4e..1e79b62f0d6 100644 --- a/lib/vcategories.php +++ b/lib/vcategories.php @@ -63,7 +63,7 @@ class OC_VCategories { * @returns array containing the categories as strings. */ public function categories() { - OC_Log::write('core','OC_VCategories::categories: '.print_r($this->categories, true), OC_Log::DEBUG); + //OC_Log::write('core','OC_VCategories::categories: '.print_r($this->categories, true), OC_Log::DEBUG); usort($this->categories, 'strnatcasecmp'); // usort to also renumber the keys return $this->categories; } @@ -169,7 +169,7 @@ class OC_VCategories { foreach($names as $name) { OC_Log::write('core','OC_VCategories::delete: '.$name, OC_Log::DEBUG); if($this->hasCategory($name)) { - OC_Log::write('core','OC_VCategories::delete: '.$name.' got it', OC_Log::DEBUG); + //OC_Log::write('core','OC_VCategories::delete: '.$name.' got it', OC_Log::DEBUG); unset($this->categories[$this->array_searchi($name, $this->categories)]); } } @@ -183,14 +183,14 @@ class OC_VCategories { //OC_Log::write('core','OC_VCategories::delete, before: '.$key.': '.print_r($categories, true), OC_Log::DEBUG); foreach($names as $name) { $idx = $this->array_searchi($name, $categories); - OC_Log::write('core','OC_VCategories::delete, loop: '.$name.', '.print_r($idx, true), OC_Log::DEBUG); + //OC_Log::write('core','OC_VCategories::delete, loop: '.$name.', '.print_r($idx, true), OC_Log::DEBUG); if($idx !== false) { OC_Log::write('core','OC_VCategories::delete, unsetting: '.$categories[$this->array_searchi($name, $categories)], OC_Log::DEBUG); unset($categories[$this->array_searchi($name, $categories)]); //unset($categories[$idx]); } } - OC_Log::write('core','OC_VCategories::delete, after: '.$key.': '.print_r($categories, true), OC_Log::DEBUG); + //OC_Log::write('core','OC_VCategories::delete, after: '.$key.': '.print_r($categories, true), OC_Log::DEBUG); $vobject->setString('CATEGORIES', implode(',', $categories)); $value[1] = $vobject->serialize(); $objects[$key] = $value; |