From 41e5850450d962deff277cb713b8d057e9749dbf Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 18 Feb 2015 16:01:24 +0100 Subject: Prevent directory traversals in ctr of \OC\Files\View This prevents a misusage of \OC\Files\View by calling it with user-supplied input. In such cases an exception is now thrown. --- lib/private/files/view.php | 8 ++++++++ tests/lib/files/view.php | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/lib/private/files/view.php b/lib/private/files/view.php index 3bc9fdff1ee..3dfd4d0c105 100644 --- a/lib/private/files/view.php +++ b/lib/private/files/view.php @@ -36,7 +36,15 @@ class View { */ protected $updater; + /** + * @param string $root + * @throws \Exception If $root contains an invalid path + */ public function __construct($root = '') { + if(!Filesystem::isValidPath($root)) { + throw new \Exception(); + } + $this->fakeRoot = $root; $this->updater = new Updater($this); } diff --git a/tests/lib/files/view.php b/tests/lib/files/view.php index f6af59d52be..b4b6d0deb2e 100644 --- a/tests/lib/files/view.php +++ b/tests/lib/files/view.php @@ -894,4 +894,21 @@ class View extends \Test\TestCase { $this->assertFalse($view->unlink('foo.txt')); $this->assertTrue($cache->inCache('foo.txt')); } + + function directoryTraversalProvider() { + return [ + ['../test/'], + ['..\\test\\my/../folder'], + ['/test/my/../foo\\'], + ]; + } + + /** + * @dataProvider directoryTraversalProvider + * @expectedException \Exception + * @param string $root + */ + public function testConstructDirectoryTraversalException($root) { + new \OC\Files\View($root); + } } -- cgit v1.2.3