upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25

fix: Also validate parent path in verifyPath

Browse source 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
This commit is contained in:
Ferdinand Thiessen 2024-08-27 14:07:44 +02:00
parent ef3bd03849
commit bcd26323c1
No known key found for this signature in database
GPG key ID: 45FAE7268762B400
2 changed files with 17 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/private/Files/FilenameValidator.php
View file

@ -25,6 +25,8 @@ use Psr\Log\LoggerInterface;
*/
class FilenameValidator implements IFilenameValidator {
public const INVALID_FILE_TYPE = 100;
private IL10N $l10n;
/**
@ -269,12 +271,12 @@ class FilenameValidator implements IFilenameValidator {
*/
protected function checkForbiddenExtension(string $filename): void {
$filename = mb_strtolower($filename);
// Check for forbidden filename exten<sions
// Check for forbidden filename extensions
$forbiddenExtensions = $this->getForbiddenExtensions();
foreach ($forbiddenExtensions as $extension) {
if (str_ends_with($filename, $extension)) {
if (str_starts_with($extension, '.')) {
throw new InvalidPathException($this->l10n->t('"%1$s" is a forbidden file type.', [$extension]));
throw new InvalidPathException($this->l10n->t('"%1$s" is a forbidden file type.', [$extension]), self::INVALID_FILE_TYPE);
} else {
throw new InvalidPathException($this->l10n->t('Filenames must not end with "%1$s".', [$extension]));
}

14
lib/private/Files/Storage/Common.php
View file

@ -13,6 +13,7 @@ use OC\Files\Cache\Propagator;
use OC\Files\Cache\Scanner;
use OC\Files\Cache\Updater;
use OC\Files\Cache\Watcher;
use OC\Files\FilenameValidator;
use OC\Files\Filesystem;
use OC\Files\Storage\Wrapper\Jail;
use OC\Files\Storage\Wrapper\Wrapper;
@ -494,7 +495,18 @@ abstract class Common implements Storage, ILockingStorage, IWriteStreamStorage {
$this->getFilenameValidator()
->validateFilename($fileName);
// NOTE: $path will remain unverified for now
// verify also the path is valid
if ($path && $path !== '/' && $path !== '.') {
try {
$this->verifyPath(dirname($path), basename($path));
} catch (InvalidPathException $e) {
// Ignore invalid file type exceptions on directories
if ($e->getCode() !== FilenameValidator::INVALID_FILE_TYPE) {
$l = \OCP\Util::getL10N('lib');
throw new InvalidPathException($l->t('Invalid parent path'), previous: $e);
}
}
}
}
/**