Sanitize length headers when validating quota

This commit is contained in:
Thomas Müller 2016-10-13 12:59:10 +02:00 committed by Morris Jobke
parent 5d7e9bb8fc
commit 08d6884107
No known key found for this signature in database
GPG Key ID: 9CE5ED29E7FCD38A
2 changed files with 25 additions and 22 deletions

View File

@ -25,6 +25,11 @@
*
*/
namespace OCA\DAV\Connector\Sabre;
use OCP\Files\FileInfo;
use OCP\Files\StorageNotAvailableException;
use Sabre\DAV\Exception\InsufficientStorage;
use Sabre\DAV\Exception\ServiceUnavailable;
use Sabre\HTTP\URLUtil;
/**
* This plugin check user quota and deny creating files when they exceeds the quota.
@ -77,17 +82,16 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
* This method is called before any HTTP method and validates there is enough free space to store the file
*
* @param string $uri
* @param null $data
* @throws \Sabre\DAV\Exception\InsufficientStorage
* @throws InsufficientStorage
* @return bool
*/
public function checkQuota($uri, $data = null) {
public function checkQuota($uri) {
$length = $this->getLength();
if ($length) {
if (substr($uri, 0, 1) !== '/') {
$uri = '/' . $uri;
}
list($parentUri, $newName) = \Sabre\HTTP\URLUtil::splitPath($uri);
list($parentUri, $newName) = URLUtil::splitPath($uri);
if(is_null($parentUri)) {
$parentUri = '';
}
@ -102,11 +106,11 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
$uri = rtrim($parentUri, '/') . '/' . $info['name'];
}
$freeSpace = $this->getFreeSpace($uri);
if ($freeSpace !== \OCP\Files\FileInfo::SPACE_UNKNOWN && $length > $freeSpace) {
if ($freeSpace !== FileInfo::SPACE_UNKNOWN && $length > $freeSpace) {
if (isset($chunkHandler)) {
$chunkHandler->cleanup();
}
throw new \Sabre\DAV\Exception\InsufficientStorage();
throw new InsufficientStorage();
}
}
return true;
@ -136,13 +140,14 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
/**
* @param string $uri
* @return mixed
* @throws ServiceUnavailable
*/
public function getFreeSpace($uri) {
try {
$freeSpace = $this->view->free_space(ltrim($uri, '/'));
return $freeSpace;
} catch (\OCP\Files\StorageNotAvailableException $e) {
throw new \Sabre\DAV\Exception\ServiceUnavailable($e->getMessage());
} catch (StorageNotAvailableException $e) {
throw new ServiceUnavailable($e->getMessage());
}
}
}

View File

@ -24,22 +24,20 @@
*
*/
namespace OCA\DAV\Tests\unit\Connector\Sabre;
use Test\TestCase;
/**
* Copyright (c) 2013 Thomas Müller <thomas.mueller@tmit.eu>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file.
*/
class QuotaPluginTest extends \Test\TestCase {
class QuotaPluginTest extends TestCase {
/**
* @var \Sabre\DAV\Server
*/
/** @var \Sabre\DAV\Server | \PHPUnit_Framework_MockObject_MockObject */
private $server;
/**
* @var \OCA\DAV\Connector\Sabre\QuotaPlugin
*/
/** @var \OCA\DAV\Connector\Sabre\QuotaPlugin | \PHPUnit_Framework_MockObject_MockObject */
private $plugin;
private function init($quota, $checkedPath = '') {
@ -126,19 +124,19 @@ class QuotaPluginTest extends \Test\TestCase {
}
public function lengthProvider() {
return array(
array(null, array()),
array(1024, array('X-EXPECTED-ENTITY-LENGTH' => '1024')),
array(512, array('CONTENT-LENGTH' => '512')),
array(2048, array('OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => '1024')),
array(4096, array('OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => '4096')),
return [
[null, []],
[1024, ['X-EXPECTED-ENTITY-LENGTH' => '1024']],
[512, ['CONTENT-LENGTH' => '512']],
[2048, ['OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => '1024']],
[4096, ['OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => '4096']],
[null, ['X-EXPECTED-ENTITY-LENGTH' => 'A']],
[null, ['CONTENT-LENGTH' => 'A']],
[1024, ['OC-TOTAL-LENGTH' => 'A', 'CONTENT-LENGTH' => '1024']],
[1024, ['OC-TOTAL-LENGTH' => 'A', 'X-EXPECTED-ENTITY-LENGTH' => '1024']],
[null, ['OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => 'A']],
[null, ['OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => 'A']],
);
];
}
public function quotaChunkedOkProvider() {