fix users being to able to read files outside the datadir
This commit is contained in:
parent
69ab810005
commit
23d006fc25
|
@ -130,19 +130,28 @@ class OC_FILES {
|
||||||
$zip=false;
|
$zip=false;
|
||||||
$filename=$dir.'/'.$files;
|
$filename=$dir.'/'.$files;
|
||||||
}
|
}
|
||||||
header('Content-Disposition: attachment; filename='.basename($filename));
|
if($zip or OC_FILESYSTEM::is_readable($filename)){
|
||||||
header('Content-Transfer-Encoding: binary');
|
header('Content-Disposition: attachment; filename='.basename($filename));
|
||||||
header('Expires: 0');
|
header('Content-Transfer-Encoding: binary');
|
||||||
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
|
header('Expires: 0');
|
||||||
header('Pragma: public');
|
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
|
||||||
header('Content-Length: ' . filesize($filename));
|
header('Pragma: public');
|
||||||
if(!$zip){
|
header('Content-Length: ' . filesize($filename));
|
||||||
$filename=OC_FILESYSTEM::toTmpFile($filename);
|
}elseif($zip or !OC_FILESYSTEM::file_exists($filename)){
|
||||||
|
header("HTTP/1.0 404 Not Found");
|
||||||
|
die('404 Not Found');
|
||||||
|
}else{
|
||||||
|
header("HTTP/1.0 403 Forbidden");
|
||||||
|
die('403 Forbidden');
|
||||||
}
|
}
|
||||||
ob_end_clean();
|
ob_end_clean();
|
||||||
OC_LOG::event($_SESSION['username'],3,"$dir/$files");
|
OC_LOG::event($_SESSION['username'],3,"$dir/$files");
|
||||||
readfile($filename);
|
if($zip){
|
||||||
unlink($filename);
|
readfile($filename);
|
||||||
|
unlink($filename);
|
||||||
|
}else{
|
||||||
|
OC_FILESYSTEM::readfile($filename);
|
||||||
|
}
|
||||||
foreach(self::$tmpFiles as $tmpFile){
|
foreach(self::$tmpFiles as $tmpFile){
|
||||||
if(file_exists($tmpFile) and is_file($tmpFile)){
|
if(file_exists($tmpFile) and is_file($tmpFile)){
|
||||||
unlink($tmpFile);
|
unlink($tmpFile);
|
||||||
|
|
|
@ -34,7 +34,13 @@ class OC_FILESYSTEM{
|
||||||
* @param string path
|
* @param string path
|
||||||
* @return bool
|
* @return bool
|
||||||
*/
|
*/
|
||||||
static private function canRead(){
|
static private function canRead($path){
|
||||||
|
if(substr($path,0,1)!=='/'){
|
||||||
|
$path='/'.$path;
|
||||||
|
}
|
||||||
|
if(strstr($path,'/../')){
|
||||||
|
return false;
|
||||||
|
}
|
||||||
return true;//dummy untill premissions are correctly implemented, also the correcty value because for now users are locked in their seperate data dir and can read/write everything in there
|
return true;//dummy untill premissions are correctly implemented, also the correcty value because for now users are locked in their seperate data dir and can read/write everything in there
|
||||||
}
|
}
|
||||||
/**
|
/**
|
||||||
|
@ -42,7 +48,13 @@ class OC_FILESYSTEM{
|
||||||
* @param string path
|
* @param string path
|
||||||
* @return bool
|
* @return bool
|
||||||
*/
|
*/
|
||||||
static private function canWrite(){
|
static private function canWrite($path){
|
||||||
|
if(substr($path,0,1)!=='/'){
|
||||||
|
$path='/'.$path;
|
||||||
|
}
|
||||||
|
if(strstr($path,'/../')){
|
||||||
|
return false;
|
||||||
|
}
|
||||||
return true;//dummy untill premissions are correctly implemented, also the correcty value because for now users are locked in their seperate data dir and can read/write everything in there
|
return true;//dummy untill premissions are correctly implemented, also the correcty value because for now users are locked in their seperate data dir and can read/write everything in there
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue