Prevent directory traversals in ctr of \OC\Files\View
This prevents a misusage of \OC\Files\View by calling it with user-supplied input. In such cases an exception is now thrown.
This commit is contained in:
Lukas Reschke
parent
8d09cc3b91
commit
41e5850450
2 changed files with 25 additions and 0 deletions
|
|
@ -36,7 +36,15 @@ class View {
|
|||
*/
|
||||
protected $updater;
|
||||
|
||||
/**
|
||||
* @param string $root
|
||||
* @throws \Exception If $root contains an invalid path
|
||||
*/
|
||||
public function __construct($root = '') {
|
||||
if(!Filesystem::isValidPath($root)) {
|
||||
throw new \Exception();
|
||||
}
|
||||
|
||||
$this->fakeRoot = $root;
|
||||
$this->updater = new Updater($this);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -894,4 +894,21 @@ class View extends \Test\TestCase {
|
|||
$this->assertFalse($view->unlink('foo.txt'));
|
||||
$this->assertTrue($cache->inCache('foo.txt'));
|
||||
}
|
||||
|
||||
function directoryTraversalProvider() {
|
||||
return [
|
||||
['../test/'],
|
||||
['..\\test\\my/../folder'],
|
||||
['/test/my/../foo\\'],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider directoryTraversalProvider
|
||||
* @expectedException \Exception
|
||||
* @param string $root
|
||||
*/
|
||||
public function testConstructDirectoryTraversalException($root) {
|
||||
new \OC\Files\View($root);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue