From 40f95ffdf3edf9ab45c15bd5b9018d7f4d92baa9 Mon Sep 17 00:00:00 2001
From: Georg Ehrke <dev@georgswebsite.de>
Date: Thu, 26 Apr 2012 17:55:00 +0200
Subject: [PATCH] fix security check for the path of the requested file

---
 apps/files/js/fileactions.js |  2 +-
 apps/files/js/files.js       |  2 +-
 core/js/js.js                |  5 ++---
 lib/base.php                 | 14 +++++++++++---
 lib/helper.php               | 19 ++++++++++++++++++-
 5 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/apps/files/js/fileactions.js b/apps/files/js/fileactions.js
index fc6c99262e..481802e0d6 100644
--- a/apps/files/js/fileactions.js
+++ b/apps/files/js/fileactions.js
@@ -135,7 +135,7 @@ $(document).ready(function(){
 		var downloadScope = 'file';
 	}
 	FileActions.register(downloadScope,'Download',function(){return OC.imagePath('core','actions/download')},function(filename){
-		window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val()));
+		window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val());
 	});
 });
 
diff --git a/apps/files/js/files.js b/apps/files/js/files.js
index 4637d3cb64..9d83e5e6d2 100644
--- a/apps/files/js/files.js
+++ b/apps/files/js/files.js
@@ -140,7 +140,7 @@ $(document).ready(function() {
 		var dir=$('#dir').val()||'/';
 		$('#notification').text(t('files','generating ZIP-file, it may take some time.'));
 		$('#notification').fadeIn();
-		window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir));
+		window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir);
 		return false;
 	});
 
diff --git a/core/js/js.js b/core/js/js.js
index 84875ca162..12303d7dd9 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -53,13 +53,12 @@ OC={
 	filePath:function(app,type,file){
 		var isCore=OC.coreApps.indexOf(app)!=-1;
 		var link=OC.webroot;
-		var splitted = file.split('?');
-		if((splitted[0].substring(splitted[0].length-3) == 'php' || splitted[0].substring(splitted[0].length-3) == 'css') && !isCore){
+		if((file.substring(file.length-3) == 'php' || file.substring(file.length-3) == 'css') && !isCore){
 			link+='/?app=' + app + '&getfile=';
 			if(type){
 				link+=encodeURI(type + '/');
 			}
-			link+= file + '?' + splitted[1];
+			link+= file;
 		}else if(file.substring(file.length-3) != 'php' && !isCore){
 			link=OC.appswebroot;
 			link+='/';
diff --git a/lib/base.php b/lib/base.php
index bb6dc3d8d7..74693641f6 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -276,7 +276,7 @@ class OC{
 	}
 	
 	public static function loadapp(){
-		if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP)){
+		if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php')){
 			require_once(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php');
 		}else{
 			trigger_error('The requested App was not found.', E_USER_ERROR);//load default app instead?
@@ -414,7 +414,7 @@ class OC{
 		register_shutdown_function(array('OC_Helper','cleanTmp'));
 		
 		self::$REQUESTEDAPP = (isset($_GET['app'])?strip_tags($_GET['app']):'files');
-		self::$REQUESTEDFILE = $_GET['getfile'];
+		self::$REQUESTEDFILE = (isset($_GET['getfile'])?$_GET['getfile']:null);
 		if(substr_count(self::$REQUESTEDFILE, '?') != 0){
 			$file = substr(self::$REQUESTEDFILE, 0, strpos(self::$REQUESTEDFILE, '?'));
 			$param = substr(self::$REQUESTEDFILE, strpos(self::$REQUESTEDFILE, '?') + 1);
@@ -423,7 +423,15 @@ class OC{
 			self::$REQUESTEDFILE = $file;
 			$_GET['getfile'] = $file;
 		}
-		self::$REQUESTEDFILE = (isset($_GET['getfile'])?(OC_Helper::issubdirectory(OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE, OC::$APPSROOT . '/' . self::$REQUESTEDAPP)?self::$REQUESTEDFILE:null):null);
+		if(!is_null(self::$REQUESTEDFILE)){
+			$subdir = OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE;
+			$parent = OC::$APPSROOT . '/' . self::$REQUESTEDAPP;
+			if(!OC_Helper::issubdirectory($subdir, $parent)){
+				self::$REQUESTEDFILE = null;
+				//header('HTTP/1.0 404 Not Found');
+				exit;
+			}
+		}
 	}
 }
 
diff --git a/lib/helper.php b/lib/helper.php
index a89aa4d37f..1d9862bf8b 100755
--- a/lib/helper.php
+++ b/lib/helper.php
@@ -560,6 +560,23 @@ class OC_Helper {
 	 * @return bool
 	 */
 	public static function issubdirectory($sub, $parent){
-		return (substr(realpath($sub), 0, strlen(realpath($parent))) == realpath($parent))?true:false;
+		if($sub == null || $sub == '' || $parent == null || $parent == ''){
+			return false;
+		}
+		$realpath_sub = realpath($sub);
+		$realpath_parent = realpath($parent);
+		if(($realpath_sub == false && substr_count($realpath_sub, './') != 0) || ($realpath_parent == false && substr_count($realpath_parent, './') != 0)){ //it checks for  both ./ and ../
+			return false;
+		}
+		if($realpath_sub && $realpath_sub != '' && $realpath_parent && $realpath_parent != ''){
+			if(substr($sub, 0, strlen($parent)) == $parent){
+				return true;
+			}
+		}else{
+			if(substr($realpath_sub, 0, strlen($realpath_parent)) == $realpath_parent){
+				return true;
+			}
+		}
+		return false;
 	}
 }