fix security check for the path of the requested file
This commit is contained in:
parent
0249a72cab
commit
40f95ffdf3
|
@ -135,7 +135,7 @@ $(document).ready(function(){
|
||||||
var downloadScope = 'file';
|
var downloadScope = 'file';
|
||||||
}
|
}
|
||||||
FileActions.register(downloadScope,'Download',function(){return OC.imagePath('core','actions/download')},function(filename){
|
FileActions.register(downloadScope,'Download',function(){return OC.imagePath('core','actions/download')},function(filename){
|
||||||
window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val()));
|
window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val());
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
@ -140,7 +140,7 @@ $(document).ready(function() {
|
||||||
var dir=$('#dir').val()||'/';
|
var dir=$('#dir').val()||'/';
|
||||||
$('#notification').text(t('files','generating ZIP-file, it may take some time.'));
|
$('#notification').text(t('files','generating ZIP-file, it may take some time.'));
|
||||||
$('#notification').fadeIn();
|
$('#notification').fadeIn();
|
||||||
window.location=OC.filePath('files', 'ajax', 'download.php?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir));
|
window.location=OC.filePath('files', 'ajax', 'download.php') + '?files='+encodeURIComponent(files)+'&dir='+encodeURIComponent(dir);
|
||||||
return false;
|
return false;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
@ -53,13 +53,12 @@ OC={
|
||||||
filePath:function(app,type,file){
|
filePath:function(app,type,file){
|
||||||
var isCore=OC.coreApps.indexOf(app)!=-1;
|
var isCore=OC.coreApps.indexOf(app)!=-1;
|
||||||
var link=OC.webroot;
|
var link=OC.webroot;
|
||||||
var splitted = file.split('?');
|
if((file.substring(file.length-3) == 'php' || file.substring(file.length-3) == 'css') && !isCore){
|
||||||
if((splitted[0].substring(splitted[0].length-3) == 'php' || splitted[0].substring(splitted[0].length-3) == 'css') && !isCore){
|
|
||||||
link+='/?app=' + app + '&getfile=';
|
link+='/?app=' + app + '&getfile=';
|
||||||
if(type){
|
if(type){
|
||||||
link+=encodeURI(type + '/');
|
link+=encodeURI(type + '/');
|
||||||
}
|
}
|
||||||
link+= file + '?' + splitted[1];
|
link+= file;
|
||||||
}else if(file.substring(file.length-3) != 'php' && !isCore){
|
}else if(file.substring(file.length-3) != 'php' && !isCore){
|
||||||
link=OC.appswebroot;
|
link=OC.appswebroot;
|
||||||
link+='/';
|
link+='/';
|
||||||
|
|
14
lib/base.php
14
lib/base.php
|
@ -276,7 +276,7 @@ class OC{
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function loadapp(){
|
public static function loadapp(){
|
||||||
if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP)){
|
if(file_exists(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php')){
|
||||||
require_once(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php');
|
require_once(OC::$APPSROOT . '/apps/' . OC::$REQUESTEDAPP . '/index.php');
|
||||||
}else{
|
}else{
|
||||||
trigger_error('The requested App was not found.', E_USER_ERROR);//load default app instead?
|
trigger_error('The requested App was not found.', E_USER_ERROR);//load default app instead?
|
||||||
|
@ -414,7 +414,7 @@ class OC{
|
||||||
register_shutdown_function(array('OC_Helper','cleanTmp'));
|
register_shutdown_function(array('OC_Helper','cleanTmp'));
|
||||||
|
|
||||||
self::$REQUESTEDAPP = (isset($_GET['app'])?strip_tags($_GET['app']):'files');
|
self::$REQUESTEDAPP = (isset($_GET['app'])?strip_tags($_GET['app']):'files');
|
||||||
self::$REQUESTEDFILE = $_GET['getfile'];
|
self::$REQUESTEDFILE = (isset($_GET['getfile'])?$_GET['getfile']:null);
|
||||||
if(substr_count(self::$REQUESTEDFILE, '?') != 0){
|
if(substr_count(self::$REQUESTEDFILE, '?') != 0){
|
||||||
$file = substr(self::$REQUESTEDFILE, 0, strpos(self::$REQUESTEDFILE, '?'));
|
$file = substr(self::$REQUESTEDFILE, 0, strpos(self::$REQUESTEDFILE, '?'));
|
||||||
$param = substr(self::$REQUESTEDFILE, strpos(self::$REQUESTEDFILE, '?') + 1);
|
$param = substr(self::$REQUESTEDFILE, strpos(self::$REQUESTEDFILE, '?') + 1);
|
||||||
|
@ -423,7 +423,15 @@ class OC{
|
||||||
self::$REQUESTEDFILE = $file;
|
self::$REQUESTEDFILE = $file;
|
||||||
$_GET['getfile'] = $file;
|
$_GET['getfile'] = $file;
|
||||||
}
|
}
|
||||||
self::$REQUESTEDFILE = (isset($_GET['getfile'])?(OC_Helper::issubdirectory(OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE, OC::$APPSROOT . '/' . self::$REQUESTEDAPP)?self::$REQUESTEDFILE:null):null);
|
if(!is_null(self::$REQUESTEDFILE)){
|
||||||
|
$subdir = OC::$APPSROOT . '/' . self::$REQUESTEDAPP . '/' . self::$REQUESTEDFILE;
|
||||||
|
$parent = OC::$APPSROOT . '/' . self::$REQUESTEDAPP;
|
||||||
|
if(!OC_Helper::issubdirectory($subdir, $parent)){
|
||||||
|
self::$REQUESTEDFILE = null;
|
||||||
|
//header('HTTP/1.0 404 Not Found');
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -560,6 +560,23 @@ class OC_Helper {
|
||||||
* @return bool
|
* @return bool
|
||||||
*/
|
*/
|
||||||
public static function issubdirectory($sub, $parent){
|
public static function issubdirectory($sub, $parent){
|
||||||
return (substr(realpath($sub), 0, strlen(realpath($parent))) == realpath($parent))?true:false;
|
if($sub == null || $sub == '' || $parent == null || $parent == ''){
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
$realpath_sub = realpath($sub);
|
||||||
|
$realpath_parent = realpath($parent);
|
||||||
|
if(($realpath_sub == false && substr_count($realpath_sub, './') != 0) || ($realpath_parent == false && substr_count($realpath_parent, './') != 0)){ //it checks for both ./ and ../
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if($realpath_sub && $realpath_sub != '' && $realpath_parent && $realpath_parent != ''){
|
||||||
|
if(substr($sub, 0, strlen($parent)) == $parent){
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
if(substr($realpath_sub, 0, strlen($realpath_parent)) == $realpath_parent){
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue