Merge pull request #3843 from owncloud/sabre-exceptions

Sabre: throw exceptions when delete/create/write operations are not permitted
2013-06-28 07:05:09 -07:00 · 2013-06-28 07:05:09 -07:00 · 3bedb09753
commit 3bedb09753
parent 6ddfe2029c 6208780332
2 changed files with 27 additions and 3 deletions
--- a/lib/connector/sabre/directory.php
+++ b/lib/connector/sabre/directory.php
@ -45,9 +45,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
 	 *
 	 * @param string $name Name of the file
 	 * @param resource|string $data Initial payload
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 * @return null|string
 	 */
 	public function createFile($name, $data = null) {
+
+		if (!\OC\Files\Filesystem::isCreatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		if (isset($_SERVER['HTTP_OC_CHUNKED'])) {
 			$info = OC_FileChunking::decodeName($name);
 			if (empty($info)) {
@ -102,10 +108,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
 	 * Creates a new subdirectory
 	 *
 	 * @param string $name
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 * @return void
 	 */
 	public function createDirectory($name) {

+		if (!\OC\Files\Filesystem::isCreatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		$newPath = $this->path . '/' . $name;
 		if(!\OC\Files\Filesystem::mkdir($newPath)) {
 			throw new Sabre_DAV_Exception_Forbidden('Could not create directory '.$newPath);
@ -203,9 +214,13 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
 	 * Deletes all files in this directory, and then itself
 	 *
 	 * @return void
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 */
 	public function delete() {

+		if (!\OC\Files\Filesystem::isDeletable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
 		if ($this->path != "/Shared") {
 			foreach($this->getChildren() as $child) $child->delete();
 			\OC\Files\Filesystem::rmdir($this->path);
--- a/lib/connector/sabre/file.php
+++ b/lib/connector/sabre/file.php
@ -41,24 +41,29 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 	 * return an ETag, and just return null.
 	 *
 	 * @param resource $data
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 * @return string|null
 	 */
 	public function put($data) {

+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		// mark file as partial while uploading (ignored by the scanner)
 		$partpath = $this->path . '.part';

 		\OC\Files\Filesystem::file_put_contents($partpath, $data);

 		//detect aborted upload
-		if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT' ) {
+		if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT') {
 			if (isset($_SERVER['CONTENT_LENGTH'])) {
 				$expected = $_SERVER['CONTENT_LENGTH'];
 				$actual = \OC\Files\Filesystem::filesize($partpath);
 				if ($actual != $expected) {
 					\OC\Files\Filesystem::unlink($partpath);
 					throw new Sabre_DAV_Exception_BadRequest(
-							'expected filesize ' . $expected . ' got ' . $actual);
+						'expected filesize ' . $expected . ' got ' . $actual);
 				}
 			}
 		}
@ -69,7 +74,7 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 		//allow sync clients to send the mtime along in a header
 		$mtime = OC_Request::hasModificationTime();
 		if ($mtime !== false) {
-			if(\OC\Files\Filesystem::touch($this->path, $mtime)) {
+			if (\OC\Files\Filesystem::touch($this->path, $mtime)) {
 				header('X-OC-MTime: accepted');
 			}
 		}
@ -92,9 +97,13 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
 	 * Delete the current file
 	 *
 	 * @return void
+	 * @throws Sabre_DAV_Exception_Forbidden
 	 */
 	public function delete() {

+		if (!\OC\Files\Filesystem::isDeletable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
 		\OC\Files\Filesystem::unlink($this->path);

 	}