wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

check for filename blacklist in OC_Filesystem::isValidPath

Browse source
This commit is contained in:
Robin Appelman 2012-11-03 00:21:10 +01:00
parent 503922ff6c
commit 4c0c78d15d
2 changed files with 11 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/filesystem.php
View file

@ -403,6 +403,9 @@ class OC_Filesystem{
if(strstr($path, '/../') || strrchr($path, '/') === '/..' ) { if(strstr($path, '/../') || strrchr($path, '/') === '/..' ) {
return false; return false;
} }
if(self::isFileBlacklisted($path)){
return false;
}
return true; return true;
} }
@ -412,20 +415,22 @@ class OC_Filesystem{
* @param array $data from hook * @param array $data from hook
*/ */
static public function isBlacklisted($data) { static public function isBlacklisted($data) {
$blacklist = array('.htaccess');
if (isset($data['path'])) { if (isset($data['path'])) {
$path = $data['path']; $path = $data['path'];
} else if (isset($data['newpath'])) { } else if (isset($data['newpath'])) {
$path = $data['newpath']; $path = $data['newpath'];
} }
if (isset($path)) { if (isset($path)) {
$filename = strtolower(basename($path)); $data['run'] = !self::isFileBlacklisted($path);
if (in_array($filename, $blacklist)) {
$data['run'] = false;
}
} }
} }
static public function isFileBlacklisted($path){
$blacklist = array('.htaccess');
$filename = strtolower(basename($path));
return in_array($filename, $blacklist);
}
/** /**
* following functions are equivilent to their php buildin equivilents for arguments/return values. * following functions are equivilent to their php buildin equivilents for arguments/return values.
*/ */

1
tests/lib/filesystem.php
View file

@ -101,6 +101,7 @@ class Test_Filesystem extends UnitTestCase {
$rootView->mkdir('/' . $user); $rootView->mkdir('/' . $user);
$rootView->mkdir('/' . $user . '/files'); $rootView->mkdir('/' . $user . '/files');
$this->assertFalse($rootView->file_put_contents('/.htaccess', 'foo'));
$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', 'foo')); $this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', 'foo'));
$fh = fopen(__FILE__, 'r'); $fh = fopen(__FILE__, 'r');
$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', $fh)); $this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', $fh));