Merge pull request #16128 from nextcloud/backport/16107/stable16
[stable16] verify that paths are valid for recursive local move
This commit is contained in:
commit
34e28920c5
|
@ -39,6 +39,7 @@
|
|||
|
||||
namespace OC\Files\Storage;
|
||||
|
||||
use OC\Files\Filesystem;
|
||||
use OC\Files\Storage\Wrapper\Jail;
|
||||
use OCP\Files\ForbiddenException;
|
||||
use OCP\Files\Storage\IStorage;
|
||||
|
@ -231,6 +232,18 @@ class Local extends \OC\Files\Storage\Common {
|
|||
|
||||
}
|
||||
|
||||
private function treeContainsBlacklistedFile(string $path): bool {
|
||||
$iterator = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($path));
|
||||
foreach ($iterator as $file) {
|
||||
/** @var \SplFileInfo $file */
|
||||
if (Filesystem::isFileBlacklisted($file->getBasename())) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public function rename($path1, $path2) {
|
||||
$srcParent = dirname($path1);
|
||||
$dstParent = dirname($path2);
|
||||
|
@ -267,6 +280,10 @@ class Local extends \OC\Files\Storage\Common {
|
|||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ($this->treeContainsBlacklistedFile($this->getSourcePath($path1))) {
|
||||
throw new ForbiddenException('Invalid path', false);
|
||||
}
|
||||
}
|
||||
|
||||
return rename($this->getSourcePath($path1), $this->getSourcePath($path2));
|
||||
|
@ -362,6 +379,10 @@ class Local extends \OC\Files\Storage\Common {
|
|||
* @throws ForbiddenException
|
||||
*/
|
||||
public function getSourcePath($path) {
|
||||
if (Filesystem::isFileBlacklisted($path)) {
|
||||
throw new ForbiddenException('Invalid path', false);
|
||||
}
|
||||
|
||||
$fullPath = $this->datadir . $path;
|
||||
$currentPath = $path;
|
||||
if ($this->allowSymlinks || $currentPath === '') {
|
||||
|
|
Loading…
Reference in New Issue