New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow path traversals in file view #14342
Conversation
Refer to this link for build results (access rights to CI server needed): |
public function filemtime($path) { | ||
return $this->basicOperation('filemtime', $path); | ||
} | ||
|
||
/** | ||
* @param $path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing type
Makes sense 👍 |
This prevents a misusage of \OC\Files\View by calling it with user-supplied input. In such cases an exception is now thrown.
dad22ce
to
46ca0fa
Compare
@nickvergessen Adjusted. |
Refer to this link for build results (access rights to CI server needed): |
The inspection completed: 27 new issues, 2 updated code elements |
👍 |
…ile-view Disallow path traversals in file view
@LukasReschke I assume we want this on all stable branches? |
Not quite sure about this as it is "just" an hardening and you never know which third-party apps rely on which behaviour. Our shipped apps should work okay though. I'd say we keep this for 8.1 for now. - With a 3 month release schedule this will reach the users anyways soon :) |
This prevents a misusage of
\OC\Files\View
by calling it with user-supplied input. In such cases an exception is now thrown.Also I added some basic PHPDocs to that class as my IDE was crying "FIX ME" ;-)
cc @icewind1991 Please review