From a7df23cebadfc0a60095ff53e4ae5e293eb02b38 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Fri, 13 Feb 2015 13:33:20 +0100
Subject: Manually type-case all AJAX files

This enforces proper types on POST and GET arguments where I considered it sensible. I didn't update some as I don't know what kind of values they would support :see_no_evil:

Fixes https://github.com/owncloud/core/issues/14196 for core
---
 apps/files/ajax/upload.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'apps/files/ajax/upload.php')

diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
index 88375f82acb..321a14e70fc 100644
--- a/apps/files/ajax/upload.php
+++ b/apps/files/ajax/upload.php
@@ -16,7 +16,7 @@ $l = \OC::$server->getL10N('files');
 if (empty($_POST['dirToken'])) {
 	// The standard case, files are uploaded through logged in users :)
 	OCP\JSON::checkLoggedIn();
-	$dir = isset($_POST['dir']) ? $_POST['dir'] : "";
+	$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : '';
 	if (!$dir || empty($dir) || $dir === false) {
 		OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Unable to set upload directory.')))));
 		die();
@@ -30,9 +30,9 @@ if (empty($_POST['dirToken'])) {
 
 	// return only read permissions for public upload
 	$allowedPermissions = \OCP\Constants::PERMISSION_READ;
-	$publicDirectory = !empty($_POST['subdir']) ? $_POST['subdir'] : '/';
+	$publicDirectory = !empty($_POST['subdir']) ? (string)$_POST['subdir'] : '/';
 
-	$linkItem = OCP\Share::getShareByToken($_POST['dirToken']);
+	$linkItem = OCP\Share::getShareByToken((string)$_POST['dirToken']);
 	if ($linkItem === false) {
 		OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token')))));
 		die();
-- 
cgit v1.2.3