verify that paths are valid for recursive local move

Signed-off-by: Robin Appelman <robin@icewind.nl>
This commit is contained in:
Robin Appelman 2019-06-27 11:10:08 +02:00 committed by Backportbot
parent 66dc4c9c72
commit 555b62a619

View file

@ -39,6 +39,7 @@
namespace OC\Files\Storage;
use OC\Files\Filesystem;
use OC\Files\Storage\Wrapper\Jail;
use OCP\Files\ForbiddenException;
use OCP\Files\Storage\IStorage;
@ -231,6 +232,18 @@ class Local extends \OC\Files\Storage\Common {
}
private function treeContainsBlacklistedFile(string $path): bool {
$iterator = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($path));
foreach ($iterator as $file) {
/** @var \SplFileInfo $file */
if (Filesystem::isFileBlacklisted($file->getBasename())) {
return true;
}
}
return false;
}
public function rename($path1, $path2) {
$srcParent = dirname($path1);
$dstParent = dirname($path2);
@ -267,6 +280,10 @@ class Local extends \OC\Files\Storage\Common {
}
return $result;
}
if ($this->treeContainsBlacklistedFile($this->getSourcePath($path1))) {
throw new ForbiddenException('Invalid path', false);
}
}
return rename($this->getSourcePath($path1), $this->getSourcePath($path2));
@ -362,6 +379,10 @@ class Local extends \OC\Files\Storage\Common {
* @throws ForbiddenException
*/
public function getSourcePath($path) {
if (Filesystem::isFileBlacklisted($path)) {
throw new ForbiddenException('Invalid path', false);
}
$fullPath = $this->datadir . $path;
$currentPath = $path;
if ($this->allowSymlinks || $currentPath === '') {