fix security check for the path of the requested file
This commit is contained in:
Georg Ehrke
parent
0249a72cab
commit
40f95ffdf3
|
|
@ -135,7 +135,7 @@ $(document).ready(function(){
|
|||
var downloadScope = 'file';
|
||||
}
|
||||
FileActions.register(downloadScope,'Download',function(){return OC.imagePath('core','actions/download')},function(filename){
|
||||
window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val()));
|
||||
window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val());
|
||||
});
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -140,7 +140,7 @@ $(document).ready(function() {
|
|||
var dir=$('#dir').val()||'/';
|
||||
$('#notification').text(t('files','generating ZIP-file, it may take some time.'));
|
||||
$('#notification').fadeIn();
|
||||
window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir));
|
||||
window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir);
|
||||
return false;
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -53,13 +53,12 @@ OC={
|
|||
filePath:function(app,type,file){
|
||||
var isCore=OC.coreApps.indexOf(app)!=-1;
|
||||
var link=OC.webroot;
|
||||
var splitted = file.split('?');
|
||||
if((splitted[0].substring(splitted[0].length-3) == 'php' || splitted[0].substring(splitted[0].length-3) == 'css') && !isCore){
|
||||
if((file.substring(file.length-3) == 'php' || file.substring(file.length-3) == 'css') && !isCore){
|
||||
link+='/?app=' + app + '&getfile=';
|
||||
if(type){
|
||||
link+=encodeURI(type + '/');
|
||||
}
|
||||
link+= file + '?' + splitted[1];
|
||||
link+= file;
|
||||
}else if(file.substring(file.length-3) != 'php' && !isCore){
|
||||
link=OC.appswebroot;
|
||||
link+='/';
|
||||
|
|
|
|||
14
lib/base.php
14
lib/base.php
|
|
@ -276,7 +276,7 @@ class OC{
|
|||
}
|
||||
|
||||
public static function loadapp(){
|
||||
if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP)){
|
||||
if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php')){
|
||||
require_once(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php');
|
||||
}else{
|
||||
trigger_error('The requested App was not found.', E_USER_ERROR);//load default app instead?
|
||||
|
|
@ -414,7 +414,7 @@ class OC{
|
|||
register_shutdown_function(array('OC_Helper','cleanTmp'));
|
||||
|
||||
self::$REQUESTEDAPP = (isset($_GET['app'])?strip_tags($_GET['app']):'files');
|
||||
self::$REQUESTEDFILE = $_GET['getfile'];
|
||||
self::$REQUESTEDFILE = (isset($_GET['getfile'])?$_GET['getfile']:null);
|
||||
if(substr_count(self::$REQUESTEDFILE, '?') != 0){
|
||||
$file = substr(self::$REQUESTEDFILE, 0, strpos(self::$REQUESTEDFILE, '?'));
|
||||
$param = substr(self::$REQUESTEDFILE, strpos(self::$REQUESTEDFILE, '?') + 1);
|
||||
|
|
@ -423,7 +423,15 @@ class OC{
|
|||
self::$REQUESTEDFILE = $file;
|
||||
$_GET['getfile'] = $file;
|
||||
}
|
||||
self::$REQUESTEDFILE = (isset($_GET['getfile'])?(OC_Helper::issubdirectory(OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE, OC::$APPSROOT . '/' . self::$REQUESTEDAPP)?self::$REQUESTEDFILE:null):null);
|
||||
if(!is_null(self::$REQUESTEDFILE)){
|
||||
$subdir = OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE;
|
||||
$parent = OC::$APPSROOT . '/' . self::$REQUESTEDAPP;
|
||||
if(!OC_Helper::issubdirectory($subdir, $parent)){
|
||||
self::$REQUESTEDFILE = null;
|
||||
//header('HTTP/1.0 404 Not Found');
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -560,6 +560,23 @@ class OC_Helper {
|
|||
* @return bool
|
||||
*/
|
||||
public static function issubdirectory($sub, $parent){
|
||||
return (substr(realpath($sub), 0, strlen(realpath($parent))) == realpath($parent))?true:false;
|
||||
if($sub == null || $sub == '' || $parent == null || $parent == ''){
|
||||
return false;
|
||||
}
|
||||
$realpath_sub = realpath($sub);
|
||||
$realpath_parent = realpath($parent);
|
||||
if(($realpath_sub == false && substr_count($realpath_sub, './') != 0) || ($realpath_parent == false && substr_count($realpath_parent, './') != 0)){ //it checks for both ./ and ../
|
||||
return false;
|
||||
}
|
||||
if($realpath_sub && $realpath_sub != '' && $realpath_parent && $realpath_parent != ''){
|
||||
if(substr($sub, 0, strlen($parent)) == $parent){
|
||||
return true;
|
||||
}
|
||||
}else{
|
||||
if(substr($realpath_sub, 0, strlen($realpath_parent)) == $realpath_parent){
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue