From a7df23cebadfc0a60095ff53e4ae5e293eb02b38 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Fri, 13 Feb 2015 13:33:20 +0100 Subject: Manually type-case all AJAX files This enforces proper types on POST and GET arguments where I considered it sensible. I didn't update some as I don't know what kind of values they would support :see_no_evil: Fixes https://github.com/owncloud/core/issues/14196 for core --- apps/files/ajax/delete.php | 8 ++++---- apps/files/ajax/download.php | 4 ++-- apps/files/ajax/getstoragestats.php | 2 +- apps/files/ajax/list.php | 4 ++-- apps/files/ajax/mimeicon.php | 2 +- apps/files/ajax/move.php | 6 +++--- apps/files/ajax/newfile.php | 8 ++++---- apps/files/ajax/newfolder.php | 4 ++-- apps/files/ajax/rename.php | 6 +++--- apps/files/ajax/scan.php | 2 +- apps/files/ajax/upload.php | 6 +++--- 11 files changed, 26 insertions(+), 26 deletions(-) (limited to 'apps/files/ajax') diff --git a/apps/files/ajax/delete.php b/apps/files/ajax/delete.php index 1a810f6954c..e891bb86208 100644 --- a/apps/files/ajax/delete.php +++ b/apps/files/ajax/delete.php @@ -6,18 +6,18 @@ OCP\JSON::callCheck(); // Get data -$dir = isset($_POST['dir']) ? $_POST['dir'] : ''; -$allFiles = isset($_POST["allfiles"]) ? $_POST["allfiles"] : false; +$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : ''; +$allFiles = isset($_POST["allfiles"]) ? (bool)$_POST["allfiles"] : false; // delete all files in dir ? -if ($allFiles === 'true') { +if ($allFiles === true) { $files = array(); $fileList = \OC\Files\Filesystem::getDirectoryContent($dir); foreach ($fileList as $fileInfo) { $files[] = $fileInfo['name']; } } else { - $files = isset($_POST["file"]) ? $_POST["file"] : $_POST["files"]; + $files = isset($_POST["file"]) ? (string)$_POST["file"] : (string)$_POST["files"]; $files = json_decode($files); } $filesWithError = ''; diff --git a/apps/files/ajax/download.php b/apps/files/ajax/download.php index 368257b95cd..4bc4fc9298a 100644 --- a/apps/files/ajax/download.php +++ b/apps/files/ajax/download.php @@ -25,8 +25,8 @@ OCP\User::checkLoggedIn(); \OC::$server->getSession()->close(); -$files = isset($_GET['files']) ? $_GET['files'] : ''; -$dir = isset($_GET['dir']) ? $_GET['dir'] : ''; +$files = isset($_GET['files']) ? (string)$_GET['files'] : ''; +$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : ''; $files_list = json_decode($files); // in case we get only a single file diff --git a/apps/files/ajax/getstoragestats.php b/apps/files/ajax/getstoragestats.php index fb7ccdc86cc..192c8ae2c70 100644 --- a/apps/files/ajax/getstoragestats.php +++ b/apps/files/ajax/getstoragestats.php @@ -3,7 +3,7 @@ $dir = '/'; if (isset($_GET['dir'])) { - $dir = $_GET['dir']; + $dir = (string)$_GET['dir']; } OCP\JSON::checkLoggedIn(); diff --git a/apps/files/ajax/list.php b/apps/files/ajax/list.php index 4aed79d70f7..f73dbf86093 100644 --- a/apps/files/ajax/list.php +++ b/apps/files/ajax/list.php @@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn(); $l = \OC::$server->getL10N('files'); // Load the files -$dir = isset($_GET['dir']) ? $_GET['dir'] : ''; +$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : ''; $dir = \OC\Files\Filesystem::normalizePath($dir); try { @@ -20,7 +20,7 @@ try { $permissions = $dirInfo->getPermissions(); - $sortAttribute = isset($_GET['sort']) ? $_GET['sort'] : 'name'; + $sortAttribute = isset($_GET['sort']) ? (string)$_GET['sort'] : 'name'; $sortDirection = isset($_GET['sortdirection']) ? ($_GET['sortdirection'] === 'desc') : false; // make filelist diff --git a/apps/files/ajax/mimeicon.php b/apps/files/ajax/mimeicon.php index c531f5a3e81..82f6695bf08 100644 --- a/apps/files/ajax/mimeicon.php +++ b/apps/files/ajax/mimeicon.php @@ -1,6 +1,6 @@ getSession()->close(); -$mime = isset($_GET['mime']) ? $_GET['mime'] : ''; +$mime = isset($_GET['mime']) ? (string)$_GET['mime'] : ''; print OC_Helper::mimetypeIcon($mime); diff --git a/apps/files/ajax/move.php b/apps/files/ajax/move.php index a9e0d09f176..f3f3fbb8d9b 100644 --- a/apps/files/ajax/move.php +++ b/apps/files/ajax/move.php @@ -5,9 +5,9 @@ OCP\JSON::callCheck(); \OC::$server->getSession()->close(); // Get data -$dir = isset($_POST['dir']) ? $_POST['dir'] : ''; -$file = isset($_POST['file']) ? $_POST['file'] : ''; -$target = isset($_POST['target']) ? rawurldecode($_POST['target']) : ''; +$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : ''; +$file = isset($_POST['file']) ? (string)$_POST['file'] : ''; +$target = isset($_POST['target']) ? rawurldecode((string)$_POST['target']) : ''; $l = \OC::$server->getL10N('files'); diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php index 159a8b5d7a3..4f5d102b404 100644 --- a/apps/files/ajax/newfile.php +++ b/apps/files/ajax/newfile.php @@ -9,10 +9,10 @@ global $eventSource; \OC::$server->getSession()->close(); // Get the params -$dir = isset( $_REQUEST['dir'] ) ? '/'.trim($_REQUEST['dir'], '/\\') : ''; -$filename = isset( $_REQUEST['filename'] ) ? trim($_REQUEST['filename'], '/\\') : ''; -$content = isset( $_REQUEST['content'] ) ? $_REQUEST['content'] : ''; -$source = isset( $_REQUEST['source'] ) ? trim($_REQUEST['source'], '/\\') : ''; +$dir = isset( $_REQUEST['dir'] ) ? '/'.trim((string)$_REQUEST['dir'], '/\\') : ''; +$filename = isset( $_REQUEST['filename'] ) ? trim((string)$_REQUEST['filename'], '/\\') : ''; +$content = isset( $_REQUEST['content'] ) ? (string)$_REQUEST['content'] : ''; +$source = isset( $_REQUEST['source'] ) ? trim((string)$_REQUEST['source'], '/\\') : ''; if($source) { $eventSource = \OC::$server->createEventSource(); diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php index fab230717de..e5e038b715c 100644 --- a/apps/files/ajax/newfolder.php +++ b/apps/files/ajax/newfolder.php @@ -8,8 +8,8 @@ OCP\JSON::callCheck(); \OC::$server->getSession()->close(); // Get the params -$dir = isset($_POST['dir']) ? $_POST['dir'] : ''; -$foldername = isset($_POST['foldername']) ? $_POST['foldername'] : ''; +$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : ''; +$foldername = isset($_POST['foldername']) ?(string) $_POST['foldername'] : ''; $l10n = \OC::$server->getL10N('files'); diff --git a/apps/files/ajax/rename.php b/apps/files/ajax/rename.php index 6ea53468861..6f248265562 100644 --- a/apps/files/ajax/rename.php +++ b/apps/files/ajax/rename.php @@ -30,9 +30,9 @@ $files = new \OCA\Files\App( \OC::$server->getL10N('files') ); $result = $files->rename( - isset($_GET['dir']) ? $_GET['dir'] : '', - isset($_GET['file']) ? $_GET['file'] : '', - isset($_GET['newname']) ? $_GET['newname'] : '' + isset($_GET['dir']) ? (string)$_GET['dir'] : '', + isset($_GET['file']) ? (string)$_GET['file'] : '', + isset($_GET['newname']) ? (string)$_GET['newname'] : '' ); if($result['success'] === true){ diff --git a/apps/files/ajax/scan.php b/apps/files/ajax/scan.php index f8977c2971e..89641f1890b 100644 --- a/apps/files/ajax/scan.php +++ b/apps/files/ajax/scan.php @@ -3,7 +3,7 @@ set_time_limit(0); //scanning can take ages \OC::$server->getSession()->close(); $force = (isset($_GET['force']) and ($_GET['force'] === 'true')); -$dir = isset($_GET['dir']) ? $_GET['dir'] : ''; +$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : ''; if (isset($_GET['users'])) { OC_JSON::checkAdminUser(); if ($_GET['users'] === 'all') { diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php index 88375f82acb..321a14e70fc 100644 --- a/apps/files/ajax/upload.php +++ b/apps/files/ajax/upload.php @@ -16,7 +16,7 @@ $l = \OC::$server->getL10N('files'); if (empty($_POST['dirToken'])) { // The standard case, files are uploaded through logged in users :) OCP\JSON::checkLoggedIn(); - $dir = isset($_POST['dir']) ? $_POST['dir'] : ""; + $dir = isset($_POST['dir']) ? (string)$_POST['dir'] : ''; if (!$dir || empty($dir) || $dir === false) { OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Unable to set upload directory.'))))); die(); @@ -30,9 +30,9 @@ if (empty($_POST['dirToken'])) { // return only read permissions for public upload $allowedPermissions = \OCP\Constants::PERMISSION_READ; - $publicDirectory = !empty($_POST['subdir']) ? $_POST['subdir'] : '/'; + $publicDirectory = !empty($_POST['subdir']) ? (string)$_POST['subdir'] : '/'; - $linkItem = OCP\Share::getShareByToken($_POST['dirToken']); + $linkItem = OCP\Share::getShareByToken((string)$_POST['dirToken']); if ($linkItem === false) { OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token'))))); die(); -- cgit v1.2.3