Skip to content

Commit f599267

Browse files
committed
check for filename blacklist in OC_Filesystem::isValidPath
1 parent 3cd416b commit f599267

File tree

2 files changed

+45
-5
lines changed

2 files changed

+45
-5
lines changed

Diff for: lib/filesystem.php

+10-5
Original file line numberDiff line numberDiff line change
@@ -403,6 +403,9 @@ static public function isValidPath($path) {
403403
if(strstr($path,'/../') || strrchr($path, '/') === '/..' ) {
404404
return false;
405405
}
406+
if(self::isFileBlacklisted($path)){
407+
return false;
408+
}
406409
return true;
407410
}
408411

@@ -412,20 +415,22 @@ static public function isValidPath($path) {
412415
* @param array $data from hook
413416
*/
414417
static public function isBlacklisted($data) {
415-
$blacklist = array('.htaccess');
416418
if (isset($data['path'])) {
417419
$path = $data['path'];
418420
} else if (isset($data['newpath'])) {
419421
$path = $data['newpath'];
420422
}
421423
if (isset($path)) {
422-
$filename = strtolower(basename($path));
423-
if (in_array($filename, $blacklist)) {
424-
$data['run'] = false;
425-
}
424+
$data['run'] = !self::isFileBlacklisted($path);
426425
}
427426
}
428427

428+
static public function isFileBlacklisted($path){
429+
$blacklist = array('.htaccess');
430+
$filename = strtolower(basename($path));
431+
return in_array($filename, $blacklist);
432+
}
433+
429434
/**
430435
* following functions are equivilent to their php buildin equivilents for arguments/return values.
431436
*/

Diff for: tests/lib/filesystem.php

+35
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,41 @@ public function testNormalize() {
7272
}
7373
}
7474

75+
public function testBlacklist() {
76+
OC_Hook::clear('OC_Filesystem');
77+
OC_Hook::connect('OC_Filesystem', 'write', 'OC_Filesystem', 'isBlacklisted');
78+
OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');
79+
80+
$run = true;
81+
OC_Hook::emit(
82+
OC_Filesystem::CLASSNAME,
83+
OC_Filesystem::signal_write,
84+
array(
85+
OC_Filesystem::signal_param_path => '/test/.htaccess',
86+
OC_Filesystem::signal_param_run => &$run
87+
)
88+
);
89+
$this->assertFalse($run);
90+
91+
if (OC_Filesystem::getView()) {
92+
$user = OC_User::getUser();
93+
} else {
94+
$user = uniqid();
95+
OC_Filesystem::init('/' . $user . '/files');
96+
}
97+
98+
OC_Filesystem::mount('OC_Filestorage_Temporary', array(), '/');
99+
100+
$rootView = new OC_FilesystemView('');
101+
$rootView->mkdir('/' . $user);
102+
$rootView->mkdir('/' . $user . '/files');
103+
104+
$this->assertFalse($rootView->file_put_contents('/.htaccess', 'foo'));
105+
$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', 'foo'));
106+
$fh = fopen(__FILE__, 'r');
107+
$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', $fh));
108+
}
109+
75110
public function testHooks() {
76111
if(OC_Filesystem::getView()){
77112
$user = OC_User::getUser();

0 commit comments

Comments
 (0)