Skip to content

Commit

Permalink
check for filename blacklist in OC_Filesystem::isValidPath
Browse files Browse the repository at this point in the history
  • Loading branch information
@icewind1991
icewind1991 committed Nov 2, 2012
1 parent 3cd416b commit f599267
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 5 deletions.
15 changes: 10 additions & 5 deletions lib/filesystem.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -403,6 +403,9 @@ static public function isValidPath($path) {
if(strstr($path,'/../') || strrchr($path, '/') === '/..' ) {
return false;
}
if(self::isFileBlacklisted($path)){
return false;
}
return true;
}

Expand All @@ -412,20 +415,22 @@ static public function isValidPath($path) {
* @param array $data from hook
*/
static public function isBlacklisted($data) {
$blacklist = array('.htaccess');
if (isset($data['path'])) {
$path = $data['path'];
} else if (isset($data['newpath'])) {
$path = $data['newpath'];
}
if (isset($path)) {
$filename = strtolower(basename($path));
if (in_array($filename, $blacklist)) {
$data['run'] = false;
}
$data['run'] = !self::isFileBlacklisted($path);
}
}

static public function isFileBlacklisted($path){
$blacklist = array('.htaccess');
$filename = strtolower(basename($path));
return in_array($filename, $blacklist);
}

/**
* following functions are equivilent to their php buildin equivilents for arguments/return values.
*/
Expand Down
35 changes: 35 additions & 0 deletions tests/lib/filesystem.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,41 @@ public function testNormalize() {
}
}

public function testBlacklist() {
OC_Hook::clear('OC_Filesystem');
OC_Hook::connect('OC_Filesystem', 'write', 'OC_Filesystem', 'isBlacklisted');
OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');

$run = true;
OC_Hook::emit(
OC_Filesystem::CLASSNAME,
OC_Filesystem::signal_write,
array(
OC_Filesystem::signal_param_path => '/test/.htaccess',
OC_Filesystem::signal_param_run => &$run
)
);
$this->assertFalse($run);

if (OC_Filesystem::getView()) {
$user = OC_User::getUser();
} else {
$user = uniqid();
OC_Filesystem::init('/' . $user . '/files');
}

OC_Filesystem::mount('OC_Filestorage_Temporary', array(), '/');

$rootView = new OC_FilesystemView('');
$rootView->mkdir('/' . $user);
$rootView->mkdir('/' . $user . '/files');

$this->assertFalse($rootView->file_put_contents('/.htaccess', 'foo'));
$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', 'foo'));
$fh = fopen(__FILE__, 'r');
$this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', $fh));
}

public function testHooks() {
if(OC_Filesystem::getView()){
$user = OC_User::getUser();
Expand Down

0 comments on commit f599267

Please sign in to comment.