merge master into webdav-injection
This commit is contained in:
commit
295b75cca9
15 changed files with 195 additions and 153 deletions
|
@ -19,6 +19,7 @@
|
|||
.searchbox input[type="search"]:focus,
|
||||
.searchbox input[type="search"]:active {
|
||||
width: 155px;
|
||||
max-width: 50%;
|
||||
}
|
||||
|
||||
/* do not show display name on mobile when profile picture is present */
|
||||
|
|
|
@ -191,7 +191,9 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
|
|||
* @return mixed
|
||||
*/
|
||||
public function getContentType() {
|
||||
return $this->info->getMimetype();
|
||||
$mimeType = $this->info->getMimetype();
|
||||
|
||||
return \OC_Helper::getSecureMimeType($mimeType);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -17,24 +17,40 @@ namespace OC\Files\Type;
|
|||
*/
|
||||
class Detection {
|
||||
protected $mimetypes = array();
|
||||
protected $secureMimeTypes = array();
|
||||
|
||||
/**
|
||||
* add an extension -> mimetype mapping
|
||||
* Add an extension -> mimetype mapping
|
||||
*
|
||||
* $mimetype is the assumed correct mime type
|
||||
* The optional $secureMimeType is an alternative to send to send
|
||||
* to avoid potential XSS.
|
||||
*
|
||||
* @param string $extension
|
||||
* @param string $mimetype
|
||||
* @param string|null $secureMimeType
|
||||
*/
|
||||
public function registerType($extension, $mimetype) {
|
||||
$this->mimetypes[$extension] = $mimetype;
|
||||
public function registerType($extension, $mimetype, $secureMimeType = null) {
|
||||
$this->mimetypes[$extension] = array($mimetype, $secureMimeType);
|
||||
$this->secureMimeTypes[$mimetype] = $secureMimeType ?: $mimetype;
|
||||
}
|
||||
|
||||
/**
|
||||
* add an array of extension -> mimetype mappings
|
||||
* Add an array of extension -> mimetype mappings
|
||||
*
|
||||
* The mimetype value is in itself an array where the first index is
|
||||
* the assumed correct mimetype and the second is either a secure alternative
|
||||
* or null if the correct is considered secure.
|
||||
*
|
||||
* @param array $types
|
||||
*/
|
||||
public function registerTypeArray($types) {
|
||||
$this->mimetypes = array_merge($this->mimetypes, $types);
|
||||
|
||||
// Update the alternative mimetypes to avoid having to look them up each time.
|
||||
foreach ($this->mimetypes as $mimeType) {
|
||||
$this->secureMimeTypes[$mimeType[0]] = $mimeType[1] ?: $mimeType[0];
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -48,7 +64,9 @@ class Detection {
|
|||
//try to guess the type by the file extension
|
||||
$extension = strtolower(strrchr(basename($path), "."));
|
||||
$extension = substr($extension, 1); //remove leading .
|
||||
return (isset($this->mimetypes[$extension])) ? $this->mimetypes[$extension] : 'application/octet-stream';
|
||||
return (isset($this->mimetypes[$extension]) && isset($this->mimetypes[$extension][0]))
|
||||
? $this->mimetypes[$extension][0]
|
||||
: 'application/octet-stream';
|
||||
} else {
|
||||
return 'application/octet-stream';
|
||||
}
|
||||
|
@ -123,4 +141,16 @@ class Detection {
|
|||
return $mime;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a secure mimetype that won't expose potential XSS.
|
||||
*
|
||||
* @param string $mimeType
|
||||
* @return string
|
||||
*/
|
||||
public function getSecureMimeType($mimeType) {
|
||||
return isset($this->secureMimeTypes[$mimeType])
|
||||
? $this->secureMimeTypes[$mimeType]
|
||||
: 'application/octet-stream';
|
||||
}
|
||||
}
|
||||
|
|
|
@ -172,12 +172,6 @@ class Group {
|
|||
$users = array();
|
||||
foreach ($this->backends as $backend) {
|
||||
$userIds = $backend->usersInGroup($this->gid, $search, $limit, $offset);
|
||||
if (!is_null($limit)) {
|
||||
$limit -= count($userIds);
|
||||
}
|
||||
if (!is_null($offset)) {
|
||||
$offset -= count($userIds);
|
||||
}
|
||||
$users += $this->getVerifiedUsers($userIds);
|
||||
if (!is_null($limit) and $limit <= 0) {
|
||||
return array_values($users);
|
||||
|
@ -223,12 +217,6 @@ class Group {
|
|||
} else {
|
||||
$userIds = $backend->usersInGroup($this->gid, $search, $limit, $offset);
|
||||
}
|
||||
if (!is_null($limit)) {
|
||||
$limit -= count($userIds);
|
||||
}
|
||||
if (!is_null($offset)) {
|
||||
$offset -= count($userIds);
|
||||
}
|
||||
$users = $this->getVerifiedUsers($userIds);
|
||||
if (!is_null($limit) and $limit <= 0) {
|
||||
return array_values($users);
|
||||
|
|
|
@ -134,12 +134,6 @@ class Manager extends PublicEmitter {
|
|||
$groups = array();
|
||||
foreach ($this->backends as $backend) {
|
||||
$groupIds = $backend->getGroups($search, $limit, $offset);
|
||||
if (!is_null($limit)) {
|
||||
$limit -= count($groupIds);
|
||||
}
|
||||
if (!is_null($offset)) {
|
||||
$offset -= count($groupIds);
|
||||
}
|
||||
foreach ($groupIds as $groupId) {
|
||||
$groups[$groupId] = $this->getGroupObject($groupId);
|
||||
}
|
||||
|
|
|
@ -430,6 +430,16 @@ class OC_Helper {
|
|||
return self::getMimetypeDetector()->detect($path);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a secure mimetype that won't expose potential XSS.
|
||||
*
|
||||
* @param string $mimeType
|
||||
* @return string
|
||||
*/
|
||||
static function getSecureMimeType($mimeType) {
|
||||
return self::getMimetypeDetector()->getSecureMimeType($mimeType);
|
||||
}
|
||||
|
||||
/**
|
||||
* get the mimetype form a data string
|
||||
*
|
||||
|
|
|
@ -418,6 +418,14 @@ class OC_L10N implements \OCP\IL10N {
|
|||
return $text[$lang];
|
||||
}
|
||||
|
||||
/**
|
||||
* The given language is forced to be used while executing the current request
|
||||
* @param string $lang
|
||||
*/
|
||||
public static function forceLanguage($lang) {
|
||||
self::$language = $lang;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief find the best language
|
||||
* @param array|string $app details below
|
||||
|
|
|
@ -22,111 +22,115 @@
|
|||
|
||||
/**
|
||||
* Array mapping file extensions to mimetypes (in alphabetical order).
|
||||
*
|
||||
* The first index in the mime type array is the assumed correct mimetype
|
||||
* and the second is either a secure alternative or null if the correct
|
||||
* is considered secure.
|
||||
*/
|
||||
return array(
|
||||
'7z' => 'application/x-7z-compressed',
|
||||
'accdb' => 'application/msaccess',
|
||||
'ai' => 'application/illustrator',
|
||||
'avi' => 'video/x-msvideo',
|
||||
'bash' => 'text/x-shellscript',
|
||||
'blend' => 'application/x-blender',
|
||||
'bin' => 'application/x-bin',
|
||||
'bmp' => 'image/bmp',
|
||||
'cb7' => 'application/x-cbr',
|
||||
'cba' => 'application/x-cbr',
|
||||
'cbr' => 'application/x-cbr',
|
||||
'cbt' => 'application/x-cbr',
|
||||
'cbtc' => 'application/x-cbr',
|
||||
'cbz' => 'application/x-cbr',
|
||||
'cc' => 'text/x-c',
|
||||
'cdr' => 'application/coreldraw',
|
||||
'cpp' => 'text/x-c++src',
|
||||
'css' => 'text/css',
|
||||
'csv' => 'text/csv',
|
||||
'cvbdl' => 'application/x-cbr',
|
||||
'c' => 'text/x-c',
|
||||
'c++' => 'text/x-c++src',
|
||||
'deb' => 'application/x-deb',
|
||||
'doc' => 'application/msword',
|
||||
'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
|
||||
'dot' => 'application/msword',
|
||||
'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
|
||||
'dv' => 'video/dv',
|
||||
'eot' => 'application/vnd.ms-fontobject',
|
||||
'epub' => 'application/epub+zip',
|
||||
'exe' => 'application/x-ms-dos-executable',
|
||||
'flac' => 'audio/flac',
|
||||
'gif' => 'image/gif',
|
||||
'gz' => 'application/x-gzip',
|
||||
'gzip' => 'application/x-gzip',
|
||||
'html' => 'text/html',
|
||||
'htm' => 'text/html',
|
||||
'ical' => 'text/calendar',
|
||||
'ics' => 'text/calendar',
|
||||
'impress' => 'text/impress',
|
||||
'jpeg' => 'image/jpeg',
|
||||
'jpg' => 'image/jpeg',
|
||||
'js' => 'application/javascript',
|
||||
'json' => 'application/json',
|
||||
'keynote' => 'application/x-iwork-keynote-sffkey',
|
||||
'kra' => 'application/x-krita',
|
||||
'm2t' => 'video/mp2t',
|
||||
'm4v' => 'video/mp4',
|
||||
'markdown' => 'text/markdown',
|
||||
'mdown' => 'text/markdown',
|
||||
'md' => 'text/markdown',
|
||||
'mdb' => 'application/msaccess',
|
||||
'mdwn' => 'text/markdown',
|
||||
'mkv' => 'video/x-matroska',
|
||||
'mobi' => 'application/x-mobipocket-ebook',
|
||||
'mov' => 'video/quicktime',
|
||||
'mp3' => 'audio/mpeg',
|
||||
'mp4' => 'video/mp4',
|
||||
'mpeg' => 'video/mpeg',
|
||||
'mpg' => 'video/mpeg',
|
||||
'msi' => 'application/x-msi',
|
||||
'numbers' => 'application/x-iwork-numbers-sffnumbers',
|
||||
'odg' => 'application/vnd.oasis.opendocument.graphics',
|
||||
'odp' => 'application/vnd.oasis.opendocument.presentation',
|
||||
'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
|
||||
'odt' => 'application/vnd.oasis.opendocument.text',
|
||||
'oga' => 'audio/ogg',
|
||||
'ogg' => 'audio/ogg',
|
||||
'ogv' => 'video/ogg',
|
||||
'otf' => 'font/opentype',
|
||||
'pages' => 'application/x-iwork-pages-sffpages',
|
||||
'pdf' => 'application/pdf',
|
||||
'php' => 'application/x-php',
|
||||
'pl' => 'application/x-perl',
|
||||
'png' => 'image/png',
|
||||
'ppt' => 'application/mspowerpoint',
|
||||
'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
|
||||
'psd' => 'application/x-photoshop',
|
||||
'py' => 'text/x-python',
|
||||
'rar' => 'application/x-rar-compressed',
|
||||
'reveal' => 'text/reveal',
|
||||
'sgf' => 'application/sgf',
|
||||
'sh-lib' => 'text/x-shellscript',
|
||||
'sh' => 'text/x-shellscript',
|
||||
'svg' => 'image/svg+xml',
|
||||
'swf' => 'application/x-shockwave-flash',
|
||||
'tar' => 'application/x-tar',
|
||||
'tar.gz' => 'application/x-compressed',
|
||||
'tex' => 'application/x-tex',
|
||||
'tgz' => 'application/x-compressed',
|
||||
'tiff' => 'image/tiff',
|
||||
'tif' => 'image/tiff',
|
||||
'ttf' => 'application/x-font-ttf',
|
||||
'txt' => 'text/plain',
|
||||
'vcard' => 'text/vcard',
|
||||
'vcf' => 'text/vcard',
|
||||
'wav' => 'audio/wav',
|
||||
'webm' => 'video/webm',
|
||||
'woff' => 'application/font-woff',
|
||||
'wmv' => 'video/x-ms-asf',
|
||||
'xcf' => 'application/x-gimp',
|
||||
'xls' => 'application/msexcel',
|
||||
'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
|
||||
'xml' => 'application/xml',
|
||||
'zip' => 'application/zip',
|
||||
'7z' => array('application/x-7z-compressed', null),
|
||||
'accdb' => array('application/msaccess', null),
|
||||
'ai' => array('application/illustrator', null),
|
||||
'avi' => array('video/x-msvideo', null),
|
||||
'bash' => array('text/x-shellscript', null),
|
||||
'blend' => array('application/x-blender', null),
|
||||
'bin' => array('application/x-bin', null),
|
||||
'bmp' => array('image/bmp', null),
|
||||
'cb7' => array('application/x-cbr', null),
|
||||
'cba' => array('application/x-cbr', null),
|
||||
'cbr' => array('application/x-cbr', null),
|
||||
'cbt' => array('application/x-cbr', null),
|
||||
'cbtc' => array('application/x-cbr', null),
|
||||
'cbz' => array('application/x-cbr', null),
|
||||
'cc' => array('text/x-c', null),
|
||||
'cdr' => array('application/coreldraw', null),
|
||||
'cpp' => array('text/x-c++src', null),
|
||||
'css' => array('text/css', null),
|
||||
'csv' => array('text/csv', null),
|
||||
'cvbdl' => array('application/x-cbr', null),
|
||||
'c' => array('text/x-c', null),
|
||||
'c++' => array('text/x-c++src', null),
|
||||
'deb' => array('application/x-deb', null),
|
||||
'doc' => array('application/msword', null),
|
||||
'docx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.document', null),
|
||||
'dot' => array('application/msword', null),
|
||||
'dotx' => array('application/vnd.openxmlformats-officedocument.wordprocessingml.template', null),
|
||||
'dv' => array('video/dv', null),
|
||||
'eot' => array('application/vnd.ms-fontobject', null),
|
||||
'epub' => array('application/epub+zip', null),
|
||||
'exe' => array('application/x-ms-dos-executable', null),
|
||||
'flac' => array('audio/flac', null),
|
||||
'gif' => array('image/gif', null),
|
||||
'gz' => array('application/x-gzip', null),
|
||||
'gzip' => array('application/x-gzip', null),
|
||||
'html' => array('text/html', 'text/plain'),
|
||||
'htm' => array('text/html', 'text/plain'),
|
||||
'ical' => array('text/calendar', null),
|
||||
'ics' => array('text/calendar', null),
|
||||
'impress' => array('text/impress', null),
|
||||
'jpeg' => array('image/jpeg', null),
|
||||
'jpg' => array('image/jpeg', null),
|
||||
'js' => array('application/javascript', 'text/plain'),
|
||||
'json' => array('application/json', 'text/plain'),
|
||||
'keynote' => array('application/x-iwork-keynote-sffkey', null),
|
||||
'kra' => array('application/x-krita', null),
|
||||
'm2t' => array('video/mp2t', null),
|
||||
'm4v' => array('video/mp4', null),
|
||||
'markdown' => array('text/markdown', null),
|
||||
'mdown' => array('text/markdown', null),
|
||||
'md' => array('text/markdown', null),
|
||||
'mdb' => array('application/msaccess', null),
|
||||
'mdwn' => array('text/markdown', null),
|
||||
'mkv' => array('video/x-matroska', null),
|
||||
'mobi' => array('application/x-mobipocket-ebook', null),
|
||||
'mov' => array('video/quicktime', null),
|
||||
'mp3' => array('audio/mpeg', null),
|
||||
'mp4' => array('video/mp4', null),
|
||||
'mpeg' => array('video/mpeg', null),
|
||||
'mpg' => array('video/mpeg', null),
|
||||
'msi' => array('application/x-msi', null),
|
||||
'numbers' => array('application/x-iwork-numbers-sffnumbers', null),
|
||||
'odg' => array('application/vnd.oasis.opendocument.graphics', null),
|
||||
'odp' => array('application/vnd.oasis.opendocument.presentation', null),
|
||||
'ods' => array('application/vnd.oasis.opendocument.spreadsheet', null),
|
||||
'odt' => array('application/vnd.oasis.opendocument.text', null),
|
||||
'oga' => array('audio/ogg', null),
|
||||
'ogg' => array('audio/ogg', null),
|
||||
'ogv' => array('video/ogg', null),
|
||||
'otf' => array('font/opentype', null),
|
||||
'pages' => array('application/x-iwork-pages-sffpages', null),
|
||||
'pdf' => array('application/pdf', null),
|
||||
'php' => array('application/x-php', null),
|
||||
'pl' => array('application/x-perl', null),
|
||||
'png' => array('image/png', null),
|
||||
'ppt' => array('application/mspowerpoint', null),
|
||||
'pptx' => array('application/vnd.openxmlformats-officedocument.presentationml.presentation', null),
|
||||
'psd' => array('application/x-photoshop', null),
|
||||
'py' => array('text/x-python', null),
|
||||
'rar' => array('application/x-rar-compressed', null),
|
||||
'reveal' => array('text/reveal', null),
|
||||
'sgf' => array('application/sgf', null),
|
||||
'sh-lib' => array('text/x-shellscript', null),
|
||||
'sh' => array('text/x-shellscript', null),
|
||||
'svg' => array('image/svg+xml', 'text/plain'),
|
||||
'swf' => array('application/x-shockwave-flash', 'application/octet-stream'),
|
||||
'tar' => array('application/x-tar', null),
|
||||
'tar.gz' => array('application/x-compressed', null),
|
||||
'tex' => array('application/x-tex', null),
|
||||
'tgz' => array('application/x-compressed', null),
|
||||
'tiff' => array('image/tiff', null),
|
||||
'tif' => array('image/tiff', null),
|
||||
'ttf' => array('application/x-font-ttf', null),
|
||||
'txt' => array('text/plain', null),
|
||||
'vcard' => array('text/vcard', null),
|
||||
'vcf' => array('text/vcard', null),
|
||||
'wav' => array('audio/wav', null),
|
||||
'webm' => array('video/webm', null),
|
||||
'woff' => array('application/font-woff', null),
|
||||
'wmv' => array('video/x-ms-asf', null),
|
||||
'xcf' => array('application/x-gimp', null),
|
||||
'xls' => array('application/msexcel', null),
|
||||
'xlsx' => array('application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', null),
|
||||
'xml' => array('application/xml', 'text/plain'),
|
||||
'zip' => array('application/zip', null),
|
||||
);
|
||||
|
|
|
@ -175,13 +175,6 @@ class Manager extends PublicEmitter {
|
|||
if (is_array($backendUsers)) {
|
||||
foreach ($backendUsers as $uid) {
|
||||
$users[] = $this->getUserObject($uid, $backend);
|
||||
if (!is_null($limit)) {
|
||||
$limit--;
|
||||
}
|
||||
if (!is_null($offset) and $offset > 0) {
|
||||
$offset--;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -211,13 +204,6 @@ class Manager extends PublicEmitter {
|
|||
if (is_array($backendUsers)) {
|
||||
foreach ($backendUsers as $uid => $displayName) {
|
||||
$users[] = $this->getUserObject($uid, $backend);
|
||||
if (!is_null($limit)) {
|
||||
$limit--;
|
||||
}
|
||||
if (!is_null($offset) and $offset > 0) {
|
||||
$offset--;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -30,6 +30,9 @@ try {
|
|||
// load all apps to get all api routes properly setup
|
||||
OC_App::loadApps();
|
||||
|
||||
// api calls always will return English
|
||||
\OC_L10N::forceLanguage('en');
|
||||
|
||||
OC::$server->getRouter()->match('/ocs'.OC_Request::getRawPathInfo());
|
||||
} catch (ResourceNotFoundException $e) {
|
||||
OC_API::setContentType();
|
||||
|
|
|
@ -9,13 +9,14 @@
|
|||
list-style:none;
|
||||
max-height:80%;
|
||||
overflow-x:hidden;
|
||||
overflow-y: scroll;
|
||||
overflow-y: auto;
|
||||
padding-bottom:6px;
|
||||
position:fixed;
|
||||
right:0;
|
||||
text-overflow:ellipsis;
|
||||
top:45px;
|
||||
width:380px;
|
||||
max-width: 95%;
|
||||
z-index:75;
|
||||
}
|
||||
|
||||
|
@ -44,18 +45,21 @@
|
|||
|
||||
#searchresults td {
|
||||
padding:0 .3em;
|
||||
height: 32px;
|
||||
height: 44px;
|
||||
}
|
||||
#searchresults tr.template {
|
||||
display: none;
|
||||
}
|
||||
|
||||
#searchresults td.result {
|
||||
width:250px;
|
||||
#searchresults .name,
|
||||
#searchresults .text {
|
||||
white-space: nowrap;
|
||||
overflow: hidden;
|
||||
text-overflow: ellipsis;
|
||||
}
|
||||
#searchresults td.result div.text {
|
||||
padding-left:1em;
|
||||
white-space:nowrap;
|
||||
#searchresults .text {
|
||||
padding-left: 16px;
|
||||
color: #999;
|
||||
}
|
||||
|
||||
#searchresults td.result * {
|
||||
|
|
|
@ -287,7 +287,7 @@ class Group extends \PHPUnit_Framework_TestCase {
|
|||
->will($this->returnValue(array('user2')));
|
||||
$backend2->expects($this->once())
|
||||
->method('usersInGroup')
|
||||
->with('group1', 'user', 1, 0)
|
||||
->with('group1', 'user', 2, 1)
|
||||
->will($this->returnValue(array('user1')));
|
||||
|
||||
$users = $group->searchUsers('user', 2, 1);
|
||||
|
|
|
@ -254,7 +254,7 @@ class Manager extends \PHPUnit_Framework_TestCase {
|
|||
$backend2 = $this->getMock('\OC_Group_Database');
|
||||
$backend2->expects($this->once())
|
||||
->method('getGroups')
|
||||
->with('1', 1, 0)
|
||||
->with('1', 2, 1)
|
||||
->will($this->returnValue(array('group12')));
|
||||
$backend2->expects($this->any())
|
||||
->method('groupExists')
|
||||
|
|
|
@ -71,6 +71,18 @@ class Test_Helper extends PHPUnit_Framework_TestCase {
|
|||
$this->assertEquals($result, $expected);
|
||||
}
|
||||
|
||||
function testGetSecureMimeType() {
|
||||
$dir=OC::$SERVERROOT.'/tests/data';
|
||||
|
||||
$result = OC_Helper::getSecureMimeType('image/svg+xml');
|
||||
$expected = 'text/plain';
|
||||
$this->assertEquals($result, $expected);
|
||||
|
||||
$result = OC_Helper::getSecureMimeType('image/png');
|
||||
$expected = 'image/png';
|
||||
$this->assertEquals($result, $expected);
|
||||
}
|
||||
|
||||
function testGetFileNameMimeType() {
|
||||
$this->assertEquals('text/plain', OC_Helper::getFileNameMimeType('foo.txt'));
|
||||
$this->assertEquals('image/png', OC_Helper::getFileNameMimeType('foo.png'));
|
||||
|
|
|
@ -210,7 +210,7 @@ class Manager extends \PHPUnit_Framework_TestCase {
|
|||
$backend2 = $this->getMock('\OC_User_Dummy');
|
||||
$backend2->expects($this->once())
|
||||
->method('getUsers')
|
||||
->with($this->equalTo('fo'), $this->equalTo(1), $this->equalTo(0))
|
||||
->with($this->equalTo('fo'), $this->equalTo(3), $this->equalTo(1))
|
||||
->will($this->returnValue(array('foo3')));
|
||||
|
||||
$manager = new \OC\User\Manager();
|
||||
|
|
Loading…
Reference in a new issue