Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow path traversals in file view #14342

Merged
merged 2 commits into from Feb 19, 2015
Merged

Disallow path traversals in file view #14342

merged 2 commits into from Feb 19, 2015

Conversation

LukasReschke
Copy link
Member

This prevents a misusage of \OC\Files\View by calling it with user-supplied input. In such cases an exception is now thrown.

Also I added some basic PHPDocs to that class as my IDE was crying "FIX ME" ;-)

cc @icewind1991 Please review

@ghost
Copy link

ghost commented Feb 18, 2015

Refer to this link for build results (access rights to CI server needed):
https://ci.owncloud.org//job/pull-request-analyser-ng-simple/9731/
Test PASSed.

nickvergessen
nickvergessen reviewed Feb 18, 2015
View reviewed changes
lib/private/files/view.php
public function filemtime($path) {
return $this->basicOperation('filemtime', $path);
}

/**
* @param $path
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing type

@icewind1991
Copy link
Contributor

Makes sense 👍

@LukasReschke
Prevent directory traversals in ctr of \OC\Files\View
41e5850 
This prevents a misusage of \OC\Files\View by calling it with user-supplied input. In such cases an exception is now thrown.
@LukasReschke
Add some basic PHPDoc to functions
46ca0fa
@LukasReschke LukasReschke force-pushed the disallow-path-traversals-in-file-view branch from dad22ce to 46ca0fa Compare February 18, 2015 17:17
@LukasReschke
Copy link
Member Author

@nickvergessen Adjusted.

@ghost
Copy link

ghost commented Feb 18, 2015

Refer to this link for build results (access rights to CI server needed):
https://ci.owncloud.org//job/pull-request-analyser-ng-simple/9740/
Test PASSed.

@scrutinizer-notifier
Copy link

The inspection completed: 27 new issues, 2 updated code elements

@DeepDiver1975 DeepDiver1975 added this to the 8.1-next milestone Feb 19, 2015
@DeepDiver1975
Copy link
Member

👍

DeepDiver1975 added a commit that referenced this pull request Feb 19, 2015
@DeepDiver1975
Merge pull request #14342 from owncloud/disallow-path-traversals-in-f…
84eb00e 
…ile-view

Disallow path traversals in file view
@DeepDiver1975 DeepDiver1975 merged commit 84eb00e into master Feb 19, 2015
@DeepDiver1975 DeepDiver1975 deleted the disallow-path-traversals-in-file-view branch February 19, 2015 09:27
@DeepDiver1975
Copy link
Member

@LukasReschke I assume we want this on all stable branches?

@LukasReschke
Copy link
Member Author

Not quite sure about this as it is "just" an hardening and you never know which third-party apps rely on which behaviour.

Our shipped apps should work okay though.

I'd say we keep this for 8.1 for now. - With a 3 month release schedule this will reach the users anyways soon :)

@lock lock bot locked as resolved and limited conversation to collaborators Aug 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
3 - To Review security
Projects
None yet
Milestone
8.1
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@LukasReschke @icewind1991 @scrutinizer-notifier @DeepDiver1975 @nickvergessen