From 7d98e83e3f13d64eab893e27c943dcba9b54b808 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 21 Aug 2023 19:45:03 +0200 Subject: fix: add some recrusive detection/prevention Signed-off-by: Robin Appelman --- apps/files_sharing/lib/SharedStorage.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'apps') diff --git a/apps/files_sharing/lib/SharedStorage.php b/apps/files_sharing/lib/SharedStorage.php index de49e3c4294..65f34b7b953 100644 --- a/apps/files_sharing/lib/SharedStorage.php +++ b/apps/files_sharing/lib/SharedStorage.php @@ -40,6 +40,7 @@ use OC\Files\Storage\Common; use OC\Files\Storage\FailedStorage; use OC\Files\Storage\Home; use OC\Files\Storage\Wrapper\PermissionsMask; +use OC\Files\Storage\Wrapper\Wrapper; use OC\User\DisplayNameCache; use OC\User\NoUserException; use OCA\Files_External\Config\ExternalMountPoint; @@ -96,6 +97,8 @@ class SharedStorage extends \OC\Files\Storage\Wrapper\Jail implements ISharedSto private string $sourcePath = ''; + private static int $initDepth = 0; + public function __construct($arguments) { $this->ownerView = $arguments['ownerView']; $this->logger = \OC::$server->get(LoggerInterface::class); @@ -135,8 +138,15 @@ class SharedStorage extends \OC\Files\Storage\Wrapper\Jail implements ISharedSto if ($this->initialized) { return; } + $this->initialized = true; + self::$initDepth++; + try { + if (self::$initDepth > 10) { + throw new \Exception("Maximum share depth reached"); + } + /** @var IRootFolder $rootFolder */ $rootFolder = \OC::$server->get(IRootFolder::class); $this->ownerUserFolder = $rootFolder->getUserFolder($this->superShare->getShareOwner()); @@ -149,6 +159,9 @@ class SharedStorage extends \OC\Files\Storage\Wrapper\Jail implements ISharedSto $this->cache = new FailedCache(); $this->rootPath = ''; } else { + if ($this->nonMaskedStorage instanceof Wrapper && $this->nonMaskedStorage->isWrapperOf($this)) { + throw new \Exception('recursive share detected'); + } $this->nonMaskedStorage = $ownerNode->getStorage(); $this->sourcePath = $ownerNode->getPath(); $this->rootPath = $ownerNode->getInternalPath(); @@ -177,6 +190,7 @@ class SharedStorage extends \OC\Files\Storage\Wrapper\Jail implements ISharedSto if (!$this->nonMaskedStorage) { $this->nonMaskedStorage = $this->storage; } + self::$initDepth--; } /** -- cgit v1.2.3