Merge pull request #25 from owncloud/master-sabre

Bump SabreDAV to 1.7.6 - Master
owncloud-archive · Apr 9, 2013 · a13af72 · a13af72
2 parents 63cb284 + fb4cce5
commit a13af72
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 6 deletions.
diff --git a/Sabre/DAV/Browser/Plugin.php b/Sabre/DAV/Browser/Plugin.php
@@ -439,12 +439,16 @@ protected function getAssetUrl($assetName) {
      */
     protected function getLocalAssetPath($assetName) {
 
+        $assetDir = realpath(__DIR__ . '/assets') . '/';
+        $path = $assetDir . $assetName;
+
         // Making sure people aren't trying to escape from the base path.
-        $assetSplit = explode('/', $assetName);
-        if (in_array('..',$assetSplit)) {
-            throw new Sabre_DAV_Exception('Incorrect asset path');
+        $path = realpath($path);
+
+        if ($path === false || substr($path, 0, strlen($assetDir))!==$assetDir) {
+            throw new Sabre_DAV_Exception_Forbidden('Path does not exist, or escaping from the base path was detected');
         }
-        $path = __DIR__ . '/assets/' . $assetName;
+
         return $path;
 
     }

diff --git a/Sabre/DAV/Exception/ServiceUnavailable.php b/Sabre/DAV/Exception/ServiceUnavailable.php
@@ -0,0 +1,29 @@
+<?php
+
+/**
+ * Sabre_DAV_Exception_ServiceUnavailable
+ *
+ * This exception is thrown in case the service
+ * is currently not available (e.g. down for maintenance).
+ *
+ * @package Sabre
+ * @subpackage DAV
+ * @author Thomas Müller <thomas.mueller@tmit.eu>
+ * @copyright Copyright (C) 2007-2013 Rooftop Solutions. All rights reserved.
+ * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License
+ */
+
+class Sabre_DAV_Exception_ServiceUnavailable extends Sabre_DAV_Exception {
+
+	/**
+	 * Returns the HTTP statuscode for this exception
+	 *
+	 * @return int
+	 */
+	public function getHTTPCode() {
+
+		return 503;
+
+	}
+
+}
diff --git a/Sabre/DAV/Version.php b/Sabre/DAV/Version.php
@@ -14,7 +14,7 @@ class Sabre_DAV_Version {
     /**
      * Full version number
      */
-    const VERSION = '1.7.5';
+    const VERSION = '1.7.6';
 
     /**
      * Stability : alpha, beta, stable

diff --git a/Sabre/DAVACL/Version.php b/Sabre/DAVACL/Version.php
@@ -14,7 +14,7 @@ class Sabre_DAVACL_Version {
     /**
      * Full version number
      */
-    const VERSION = '1.7.4';
+    const VERSION = '1.7.6';
 
     /**
      * Stability : alpha, beta, stable