Harden files drop

* Fail on MKCOL
* Only take filename ignore directories
* No need to parse query parameters

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2016-12-02 10:03:02 +01:00
parent be1b2b723f
commit 363963577c
No known key found for this signature in database
GPG Key ID: F941078878347C0C
1 changed files with 10 additions and 20 deletions

View File

@ -23,6 +23,7 @@
namespace OCA\DAV\Files\Sharing;
use OC\Files\View;
use Sabre\DAV\Exception\MethodNotAllowed;
use Sabre\DAV\ServerPlugin;
use Sabre\HTTP\RequestInterface;
use Sabre\HTTP\ResponseInterface;
@ -56,6 +57,7 @@ class FilesDropPlugin extends ServerPlugin {
* @param \Sabre\DAV\Server $server Sabre server
*
* @return void
* @throws MethodNotAllowed
*/
public function initialize(\Sabre\DAV\Server $server) {
$server->on('beforeMethod', [$this, 'beforeMethod'], 999);
@ -64,31 +66,19 @@ class FilesDropPlugin extends ServerPlugin {
public function beforeMethod(RequestInterface $request, ResponseInterface $response){
if (!$this->enabled || $request->getMethod() !== 'PUT') {
if (!$this->enabled) {
return;
}
$path = $request->getPath();
if ($this->view->file_exists($path)) {
$newName = \OC_Helper::buildNotExistingFileNameForView('/', $path, $this->view);
$url = $request->getBaseUrl() . $newName . '?';
$parms = $request->getQueryParameters();
$first = true;
foreach ($parms as $k => $v) {
if ($first) {
$url .= '?';
$first = false;
} else {
$url .= '&';
}
$url .= $k . '=' . $v;
}
$request->setUrl($url);
if ($request->getMethod() !== 'PUT') {
throw new MethodNotAllowed('Only PUT is allowed on files drop');
}
$path = explode('/', $request->getPath());
$path = array_pop($path);
$newName = \OC_Helper::buildNotExistingFileNameForView('/', $path, $this->view);
$url = $request->getBaseUrl() . $newName;
$request->setUrl($url);
}
}