upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-04 06:13:34 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 16

Harden issubdirectory()

Browse source 
realpath() may return false in case the directory does not exist since we can not be sure how different PHP versions may behave here we do an additional check whether realpath returned false
This commit is contained in:
Lukas Reschke 2014-05-11 15:49:19 +02:00 committed by Morris Jobke
parent 8c1eff8f52
commit 1e6b4576c2
1 changed files with 13 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
lib/private/helper.php
View file

@ -716,9 +716,21 @@ class OC_Helper {
* @return bool
*/
public static function issubdirectory($sub, $parent) {
if (strpos(realpath($sub), realpath($parent)) === 0) {
$realpathSub = realpath($sub);
$realpathParent = realpath($parent);
// realpath() may return false in case the directory does not exist
// since we can not be sure how different PHP versions may behave here
// we do an additional check whether realpath returned false
if($realpathSub === false || $realpathParent === false) {
return false;
}
// Check whether $sub is a subdirectory of $parent
if (strpos($realpathSub, $realpathParent) === 0) {
return true;
}
return false;
}