From 4d91fa4c93aa88480a52eed40fe65d7fdd4912d4 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Fri, 6 Feb 2015 15:03:29 +0100 Subject: [PATCH] Normalize before processing --- lib/private/files/filesystem.php | 10 ++++++---- lib/private/files/mapper.php | 18 ++++++++++++++---- tests/lib/files/filesystem.php | 22 ++++++++++++++++++++++ tests/lib/files/mapper.php | 9 +++++++++ 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php index 140d892652..e933782ce2 100644 --- a/lib/private/files/filesystem.php +++ b/lib/private/files/filesystem.php @@ -543,9 +543,11 @@ class Filesystem { * @return bool */ static public function isFileBlacklisted($filename) { + $filename = self::normalizePath($filename); + $blacklist = \OC_Config::getValue('blacklisted_files', array('.htaccess')); $filename = strtolower(basename($filename)); - return (in_array($filename, $blacklist)); + return in_array($filename, $blacklist); } /** @@ -734,6 +736,9 @@ class Filesystem { return '/'; } + //normalize unicode if possible + $path = \OC_Util::normalizeUnicode($path); + //no windows style slashes $path = str_replace('\\', '/', $path); @@ -770,9 +775,6 @@ class Filesystem { $path = substr($path, 0, -2); } - //normalize unicode if possible - $path = \OC_Util::normalizeUnicode($path); - $normalizedPath = $windows_drive_letter . $path; self::$normalizedPathCache[$cacheKey] = $normalizedPath; diff --git a/lib/private/files/mapper.php b/lib/private/files/mapper.php index 5e78ef03dd..86c23c62e4 100644 --- a/lib/private/files/mapper.php +++ b/lib/private/files/mapper.php @@ -115,6 +115,8 @@ class Mapper /** * @param string $logicPath + * @return null + * @throws \OC\DatabaseException */ private function resolveLogicPath($logicPath) { $logicPath = $this->resolveRelativePath($logicPath); @@ -162,7 +164,8 @@ class Mapper /** * @param string $logicPath - * @param boolean $store + * @param bool $store + * @return string */ private function create($logicPath, $store) { $logicPath = $this->resolveRelativePath($logicPath); @@ -191,7 +194,9 @@ class Mapper } /** - * @param integer $index + * @param string $path + * @param int $index + * @return string */ public function slugifyPath($path, $index = null) { $path = $this->stripRootFolder($path, $this->unchangedPhysicalRoot); @@ -205,7 +210,7 @@ class Mapper continue; } - $sluggedElements[] = self::slugify($pathElement); + $sluggedElements[] = $this->slugify($pathElement); } // apply index to file name @@ -253,13 +258,18 @@ class Mapper // trim ending dots (for security reasons and win compatibility) $text = preg_replace('~\.+$~', '', $text); - if (empty($text)) { + if (empty($text) || \OC\Files\Filesystem::isFileBlacklisted($text)) { /** * Item slug would be empty. Previously we used uniqid() here. * However this means that the behaviour is not reproducible, so * when uploading files into a "empty" folder, the folders name is * different. * + * The other case is, that the slugified name would be a blacklisted + * filename. In this case we just use the same workaround by + * returning the secure md5 hash of the original name. + * + * * If there would be a md5() hash collision, the deduplicate check * will spot this and append an index later, so this should not be * a problem. diff --git a/tests/lib/files/filesystem.php b/tests/lib/files/filesystem.php index 888690adb0..7bf59315d7 100644 --- a/tests/lib/files/filesystem.php +++ b/tests/lib/files/filesystem.php @@ -187,6 +187,28 @@ class Filesystem extends \Test\TestCase { $this->assertSame($expected, \OC\Files\Filesystem::isValidPath($path)); } + public function isFileBlacklistedData() { + return array( + array('/etc/foo/bar/foo.txt', false), + array('\etc\foo/bar\foo.txt', false), + array('.htaccess', true), + array('.htaccess/', true), + array('.htaccess\\', true), + array('/etc/foo\bar/.htaccess\\', true), + array('/etc/foo\bar/.htaccess/', true), + array('/etc/foo\bar/.htaccess/foo', false), + array('//foo//bar/\.htaccess/', true), + array('\foo\bar\.HTAccess', true), + ); + } + + /** + * @dataProvider isFileBlacklistedData + */ + public function testIsFileBlacklisted($path, $expected) { + $this->assertSame($expected, \OC\Files\Filesystem::isFileBlacklisted($path)); + } + public function normalizePathWindowsAbsolutePathData() { return array( array('C:/', 'C:\\'), diff --git a/tests/lib/files/mapper.php b/tests/lib/files/mapper.php index 18161734b6..cd35d4f8fc 100644 --- a/tests/lib/files/mapper.php +++ b/tests/lib/files/mapper.php @@ -68,6 +68,15 @@ class Mapper extends \Test\TestCase { */ array('D:/' . md5('ありがとう'), 'D:/ありがとう'), array('D:/' . md5('ありがとう') . '/issue6722.txt', 'D:/ありがとう/issue6722.txt'), + array('D:/' . md5('.htaccess'), 'D:/.htaccess'), + array('D:/' . md5('.htaccess.'), 'D:/.htaccess.'), + array('D:/' . md5('.htAccess'), 'D:/.htAccess'), + array('D:/' . md5('.htAccess\\…\\') . '/a', 'D:/.htAccess\…\/とa'), + array('D:/' . md5('.htaccess-'), 'D:/.htaccess-'), + array('D:/' . md5('.htaあccess'), 'D:/.htaあccess'), + array('D:/' . md5(' .htaccess'), 'D:/ .htaccess'), + array('D:/' . md5('.htaccess '), 'D:/.htaccess '), + array('D:/' . md5(' .htaccess '), 'D:/ .htaccess '), ); }