upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-02-20 00:12:30 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 38

Harden issubdirectory()

Browse source 
realpath() may return false in case the directory does not exist since we can not be sure how different PHP versions may behave here we do an additional check whether realpath returned false
This commit is contained in:
Lukas Reschke 2014-05-11 15:49:19 +02:00
parent b6d76e9985
commit a40e49cae5
1 changed files with 13 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
lib/private/helper.php
View file

@ -733,9 +733,21 @@ class OC_Helper {
* @return bool
*/
public static function issubdirectory($sub, $parent) {
if (strpos(realpath($sub), realpath($parent)) === 0) {
$realpathSub = realpath($sub);
$realpathParent = realpath($parent);
// realpath() may return false in case the directory does not exist
// since we can not be sure how different PHP versions may behave here
// we do an additional check whether realpath returned false
if($realpathSub === false || $realpathParent === false) {
return false;
}
// Check whether $sub is a subdirectory of $parent
if (strpos($realpathSub, $realpathParent) === 0) {
return true;
}
return false;
}