upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-01 13:00:44 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Fix security issues when copying groupfolder with advanced ACL

Browse source 
Using advanced ACL, it is possible that an user has access to a
directory but not to a subdirectory, so the copying use
Common::copyFromStorage instead of Local::copyFromStorage.

Fix https://github.com/nextcloud/groupfolders/issues/1692

Signed-off-by: Carl Schwan <carl@carlschwan.eu>
This commit is contained in:
Carl Schwan 2021-10-21 16:57:07 +02:00 committed by backportbot[bot]
parent 6b0bdf192c
commit ec8b2a90e6
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/private/Files/Storage/Local.php
View file

@ -525,7 +525,10 @@ class Local extends \OC\Files\Storage\Common {
* @return bool
*/
public function copyFromStorage(IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime = false) {
if ($sourceStorage->instanceOfStorage(Local::class)) {
// Don't treat ACLStorageWrapper like local storage where copy can be done directly.
// Instead use the slower recursive copying in php from Common::copyFromStorage with
// more permissions checks.
if ($sourceStorage->instanceOfStorage(Local::class) && !$sourceStorage->instanceOfStorage('OCA\GroupFolders\ACL\ACLStorageWrapper')) {
if ($sourceStorage->instanceOfStorage(Jail::class)) {
/**
* @var \OC\Files\Storage\Wrapper\Jail $sourceStorage