fix users being to able to read files outside the datadir
This commit is contained in:
Robin Appelman
parent
69ab810005
commit
23d006fc25
2 changed files with 33 additions and 12 deletions
|
|
@ -130,19 +130,28 @@ class OC_FILES {
|
|||
$zip=false;
|
||||
$filename=$dir.'/'.$files;
|
||||
}
|
||||
header('Content-Disposition: attachment; filename='.basename($filename));
|
||||
header('Content-Transfer-Encoding: binary');
|
||||
header('Expires: 0');
|
||||
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
|
||||
header('Pragma: public');
|
||||
header('Content-Length: ' . filesize($filename));
|
||||
if(!$zip){
|
||||
$filename=OC_FILESYSTEM::toTmpFile($filename);
|
||||
if($zip or OC_FILESYSTEM::is_readable($filename)){
|
||||
header('Content-Disposition: attachment; filename='.basename($filename));
|
||||
header('Content-Transfer-Encoding: binary');
|
||||
header('Expires: 0');
|
||||
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
|
||||
header('Pragma: public');
|
||||
header('Content-Length: ' . filesize($filename));
|
||||
}elseif($zip or !OC_FILESYSTEM::file_exists($filename)){
|
||||
header("HTTP/1.0 404 Not Found");
|
||||
die('404 Not Found');
|
||||
}else{
|
||||
header("HTTP/1.0 403 Forbidden");
|
||||
die('403 Forbidden');
|
||||
}
|
||||
ob_end_clean();
|
||||
OC_LOG::event($_SESSION['username'],3,"$dir/$files");
|
||||
readfile($filename);
|
||||
unlink($filename);
|
||||
if($zip){
|
||||
readfile($filename);
|
||||
unlink($filename);
|
||||
}else{
|
||||
OC_FILESYSTEM::readfile($filename);
|
||||
}
|
||||
foreach(self::$tmpFiles as $tmpFile){
|
||||
if(file_exists($tmpFile) and is_file($tmpFile)){
|
||||
unlink($tmpFile);
|
||||
|
|
|
|||
|
|
@ -34,7 +34,13 @@ class OC_FILESYSTEM{
|
|||
* @param string path
|
||||
* @return bool
|
||||
*/
|
||||
static private function canRead(){
|
||||
static private function canRead($path){
|
||||
if(substr($path,0,1)!=='/'){
|
||||
$path='/'.$path;
|
||||
}
|
||||
if(strstr($path,'/../')){
|
||||
return false;
|
||||
}
|
||||
return true;//dummy untill premissions are correctly implemented, also the correcty value because for now users are locked in their seperate data dir and can read/write everything in there
|
||||
}
|
||||
/**
|
||||
|
|
@ -42,7 +48,13 @@ class OC_FILESYSTEM{
|
|||
* @param string path
|
||||
* @return bool
|
||||
*/
|
||||
static private function canWrite(){
|
||||
static private function canWrite($path){
|
||||
if(substr($path,0,1)!=='/'){
|
||||
$path='/'.$path;
|
||||
}
|
||||
if(strstr($path,'/../')){
|
||||
return false;
|
||||
}
|
||||
return true;//dummy untill premissions are correctly implemented, also the correcty value because for now users are locked in their seperate data dir and can read/write everything in there
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue