From dc6f1d875d7c6f86b07aba8b6f1119083279cd30 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Feb 2014 12:32:57 +0100 Subject: [PATCH 1/3] An admin should not be able to add remote and public services on its own. This should only be possible programmatically. This change is due the fact that an admin may not be expected to execute arbitrary code in every environment. --- core/ajax/appconfig.php | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 4f26dedc797..6629d8a664b 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -9,28 +9,40 @@ OC_Util::checkAdminUser(); OCP\JSON::callCheck(); $action=isset($_POST['action'])?$_POST['action']:$_GET['action']; +$app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); + +// An admin should not be able to add remote and public services +// on its own. This should only be possible programmatically. +// This change is due the fact that an admin may not be expected +// to execute arbitrary code in every environment. +if($app === 'core' && (substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { + OC_JSON::error(array('data' => array('message' => 'Unexpected error!'))); + return; +} + $result=false; switch($action) { case 'getValue': - $result=OC_Appconfig::getValue($_GET['app'], $_GET['key'], $_GET['defaultValue']); + $result=OC_Appconfig::getValue($app, $_GET['key'], $_GET['defaultValue']); break; case 'setValue': - $result=OC_Appconfig::setValue($_POST['app'], $_POST['key'], $_POST['value']); + $result=OC_Appconfig::setValue($app, $_POST['key'], $_POST['value']); break; case 'getApps': $result=OC_Appconfig::getApps(); break; case 'getKeys': - $result=OC_Appconfig::getKeys($_GET['app']); + $result=OC_Appconfig::getKeys($app); break; case 'hasKey': - $result=OC_Appconfig::hasKey($_GET['app'], $_GET['key']); + $result=OC_Appconfig::hasKey($app, $_GET['key']); break; case 'deleteKey': - $result=OC_Appconfig::deleteKey($_POST['app'], $_POST['key']); + $result=OC_Appconfig::deleteKey($app, $_POST['key']); break; case 'deleteApp': - $result=OC_Appconfig::deleteApp($_POST['app']); + $result=OC_Appconfig::deleteApp($app); break; } OC_JSON::success(array('data'=>$result)); + From 1352c63dca25b04594cbdfeb8c832351997a1d14 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Feb 2014 12:47:05 +0100 Subject: [PATCH 2/3] Check whether the Key is set --- core/ajax/appconfig.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 6629d8a664b..1d066d9169a 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -15,7 +15,7 @@ $app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); // on its own. This should only be possible programmatically. // This change is due the fact that an admin may not be expected // to execute arbitrary code in every environment. -if($app === 'core' && (substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { +if($app === 'core' && isset($_POST['key']) &&(substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { OC_JSON::error(array('data' => array('message' => 'Unexpected error!'))); return; } From c19cacb29f263558f052ccd8d78033d63326589e Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Feb 2014 14:12:49 +0100 Subject: [PATCH 3/3] Check whether the app is set --- core/ajax/appconfig.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 1d066d9169a..05b7572c6d7 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -9,7 +9,10 @@ OC_Util::checkAdminUser(); OCP\JSON::callCheck(); $action=isset($_POST['action'])?$_POST['action']:$_GET['action']; -$app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); + +if(isset($_POST['app']) || isset($_GET['app'])) { + $app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); +} // An admin should not be able to add remote and public services // on its own. This should only be possible programmatically.