From c3a64012d83b424421555b642c2bd8c59bde82c1 Mon Sep 17 00:00:00 2001 From: VicDeo Date: Tue, 19 Mar 2013 16:40:52 +0300 Subject: [PATCH 1/5] Remove leading and trailing backslashes in classname. Ref #2310 --- lib/base.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/base.php b/lib/base.php index 0d33dbb163e..c921c45f4a1 100644 --- a/lib/base.php +++ b/lib/base.php @@ -78,6 +78,8 @@ class OC { * SPL autoload */ public static function autoload($className) { + $className = trim ($className, '\\'); + if (array_key_exists($className, OC::$CLASSPATH)) { $path = OC::$CLASSPATH[$className]; /** @TODO: Remove this when necessary From 5750dc9833be45bd94ae95dfd1c61a79a7d33058 Mon Sep 17 00:00:00 2001 From: Thomas Mueller Date: Tue, 19 Mar 2013 18:00:15 +0100 Subject: [PATCH 2/5] some basic unit test for loading classes --- tests/lib/autoloader.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 tests/lib/autoloader.php diff --git a/tests/lib/autoloader.php b/tests/lib/autoloader.php new file mode 100644 index 00000000000..e769bf3bcf6 --- /dev/null +++ b/tests/lib/autoloader.php @@ -0,0 +1,19 @@ + + * This file is licensed under the Affero General Public License version 3 or + * later. + * See the COPYING-README file. + */ + +class Test_AutoLoader extends PHPUnit_Framework_TestCase { + + public function testLeadingSlashOnClassName(){ + $this->assertTrue(class_exists('\OC\Files\Storage\Local')); + } + + public function testNoLeadingSlashOnClassName(){ + $this->assertTrue(class_exists('OC\Files\Storage\Local')); + } + +} From dc41cf081cac227f0d73b56542fa6295285e170c Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 20 Mar 2013 08:43:54 +0100 Subject: [PATCH 3/5] Check if the installed PHP version has a fix for the nullbyte vulnerability --- core/setup.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/core/setup.php b/core/setup.php index 77eed5376d6..b61590e9e4b 100644 --- a/core/setup.php +++ b/core/setup.php @@ -18,6 +18,10 @@ $hasPostgreSQL = is_callable('pg_connect'); $hasOracle = is_callable('oci_connect'); $hasMSSQL = is_callable('sqlsrv_connect'); $datadir = OC_Config::getValue('datadirectory', OC::$SERVERROOT.'/data'); +$vulnerableToNullByte = false; +if(file_exists(__FILE__."\0Nullbyte")) { // Check if the used PHP version is vulnerable to the NULL Byte attack (CVE-2006-7243) + $vulnerableToNullByte = true; +} // Protect data directory here, so we can test if the protection is working OC_Setup::protectDataDirectory(); @@ -31,6 +35,7 @@ $opts = array( 'directory' => $datadir, 'secureRNG' => OC_Util::secureRNG_available(), 'htaccessWorking' => OC_Util::ishtaccessworking(), + 'vulnerableToNullByte' => $vulnerableToNullByte, 'errors' => array(), ); From 68d55648d5904a86d21fb5258684687a31929011 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 20 Mar 2013 08:44:33 +0100 Subject: [PATCH 4/5] Show a warning in the installer if the used PHP version is vulnerable to the NULL Byte attack --- core/templates/installation.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/templates/installation.php b/core/templates/installation.php index 842686932c7..c70903cba55 100644 --- a/core/templates/installation.php +++ b/core/templates/installation.php @@ -19,6 +19,13 @@ + +
+ t('Security Warning'));?> +

t('Your PHP version is vulnerable to the NULL Byte attack (CVE-2006-7243)'));?>
+ t('Please update your PHP installation to use ownCloud securely.'));?>

+
+
t('Security Warning'));?> From 3e9ea6d13b33cb23274d688f6375e7856ec16e2c Mon Sep 17 00:00:00 2001 From: VicDeo Date: Wed, 20 Mar 2013 16:54:06 +0400 Subject: [PATCH 5/5] Remove space before parethesis --- lib/base.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/base.php b/lib/base.php index c921c45f4a1..76ad0654ed0 100644 --- a/lib/base.php +++ b/lib/base.php @@ -78,7 +78,7 @@ class OC { * SPL autoload */ public static function autoload($className) { - $className = trim ($className, '\\'); + $className = trim($className, '\\'); if (array_key_exists($className, OC::$CLASSPATH)) { $path = OC::$CLASSPATH[$className];