Filter potential dangerous filenames for avatars

We don't want to have users misusing this API resulting in a potential file disclosure of "avatar.(jpg|png)" files.
This commit is contained in:
Lukas Reschke 2015-04-28 16:57:23 +02:00
parent 132ce04f31
commit 34d0e610cc
3 changed files with 34 additions and 4 deletions

View file

@ -8,6 +8,7 @@
* @author Robin McCorkell <rmccorkell@karoshi.org.uk>
* @author Roeland Jago Douma <roeland@famdouma.nl>
* @author Thomas Müller <thomas.mueller@tmit.eu>
* @author Lukas Reschke <lukas@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
@ -26,23 +27,28 @@
*
*/
namespace OC;
namespace OC;
use OC_Image;
use OC\Files\Filesystem;
use OC_Image;
/**
* This class gets and sets users avatars.
*/
class Avatar implements \OCP\IAvatar {
/** @var Files\View */
private $view;
/**
* constructor
* @param string $user user to do avatar-management with
*/
* @throws \Exception In case the username is potentially dangerous
*/
public function __construct ($user) {
if(!Filesystem::isValidPath($user)) {
throw new \Exception('Username may not contain slashes');
}
$this->view = new \OC\Files\View('/'.$user);
}

View file

@ -37,6 +37,7 @@ class AvatarManager implements IAvatarManager {
* @see \OCP\IAvatar
* @param string $user the ownCloud user id
* @return \OCP\IAvatar
* @throws \Exception In case the username is potentially dangerous
*/
public function getAvatar($user) {
return new Avatar($user);

View file

@ -34,6 +34,29 @@ class Test_Avatar extends \Test\TestCase {
}
}
/**
* @return array
*/
public function traversalProvider() {
return [
['Pot\..\entiallyDangerousUsername'],
['Pot/..\entiallyDangerousUsername'],
['PotentiallyDangerousUsername/..'],
['PotentiallyDangerousUsername\../'],
['/../PotentiallyDangerousUsername'],
];
}
/**
* @dataProvider traversalProvider
* @expectedException \Exception
* @expectedExceptionMessage Username may not contain slashes
* @param string $dangerousUsername
*/
public function testAvatarTraversal($dangerousUsername) {
new Avatar($dangerousUsername);
}
public function testAvatar() {
$avatar = new Avatar($this->user);