becde58952
Otherwise an administrator could bypass sudo mode by installing an app that allows RCE by design. I've by intention excluded the update endpoint from the requirement because updating apps should be as unintruisive as possible. Not the cleanest approach by adding this to the AJAX endpoints instead of requiring a controller but for 11 this felt safer for me. We can clean this up together later then. (also the other AJAX endpoints in this folder do have the same logic) Ref https://github.com/nextcloud/server/issues/2487 Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
51 lines
1.8 KiB
PHP
51 lines
1.8 KiB
PHP
<?php
|
|
/**
|
|
* @copyright Copyright (c) 2016, ownCloud, Inc.
|
|
*
|
|
* @author Georg Ehrke <georg@owncloud.com>
|
|
* @author Lukas Reschke <lukas@statuscode.ch>
|
|
* @author Robin Appelman <robin@icewind.nl>
|
|
*
|
|
* @license AGPL-3.0
|
|
*
|
|
* This code is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
* as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
*
|
|
*/
|
|
OCP\JSON::checkAdminUser();
|
|
OCP\JSON::callCheck();
|
|
|
|
$lastConfirm = (int) \OC::$server->getSession()->get('last-password-confirm');
|
|
if ($lastConfirm < (time() - 30 * 60 + 15)) { // allow 15 seconds delay
|
|
$l = \OC::$server->getL10N('core');
|
|
OC_JSON::error(array( 'data' => array( 'message' => $l->t('Password confirmation is required'))));
|
|
exit();
|
|
}
|
|
|
|
if (!array_key_exists('appid', $_POST)) {
|
|
OC_JSON::error();
|
|
exit;
|
|
}
|
|
|
|
$appId = (string)$_POST['appid'];
|
|
$appId = OC_App::cleanAppId($appId);
|
|
|
|
$result = OC_App::removeApp($appId);
|
|
if($result !== false) {
|
|
// FIXME: Clear the cache - move that into some sane helper method
|
|
\OC::$server->getMemCacheFactory()->create('settings')->remove('listApps-0');
|
|
\OC::$server->getMemCacheFactory()->create('settings')->remove('listApps-1');
|
|
OC_JSON::success(array('data' => array('appid' => $appId)));
|
|
} else {
|
|
$l = \OC::$server->getL10N('settings');
|
|
OC_JSON::error(array("data" => array( "message" => $l->t("Couldn't remove app.") )));
|
|
}
|