From 33aec973dfdce7307480f03417b14de55f30d9d2 Mon Sep 17 00:00:00 2001 From: Thomas Tanghus Date: Tue, 19 Jun 2012 14:55:14 +0200 Subject: [PATCH 01/13] Loading of contacts was placed outside of $(document).ready() function. --- apps/contacts/js/contacts.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js index 1408e840f2..56dc2d422c 100644 --- a/apps/contacts/js/contacts.js +++ b/apps/contacts/js/contacts.js @@ -1699,5 +1699,6 @@ $(document).ready(function(){ } $('#contacts_propertymenu_dropdown a').click(propertyMenuItem); $('#contacts_propertymenu_dropdown a').keydown(propertyMenuItem); + + Contacts.UI.Contacts.update(); }); -Contacts.UI.Contacts.update(); From 0b9a48b4b6fe7f75475c931c554fc9208a697113 Mon Sep 17 00:00:00 2001 From: Thomas Tanghus Date: Tue, 19 Jun 2012 14:56:21 +0200 Subject: [PATCH 02/13] Re-add missing loadhandlers() call. --- apps/contacts/js/contacts.js | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/contacts/js/contacts.js b/apps/contacts/js/contacts.js index 56dc2d422c..2319334c58 100644 --- a/apps/contacts/js/contacts.js +++ b/apps/contacts/js/contacts.js @@ -1700,5 +1700,6 @@ $(document).ready(function(){ $('#contacts_propertymenu_dropdown a').click(propertyMenuItem); $('#contacts_propertymenu_dropdown a').keydown(propertyMenuItem); + Contacts.UI.loadHandlers(); Contacts.UI.Contacts.update(); }); From d2936bd90caa2b256d32e7d349449ed58b28107b Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Tue, 19 Jun 2012 17:20:19 +0200 Subject: [PATCH 03/13] introducing a sanitize HTML function for the internal and the public API. This allows to easily convert strings to HTML before displaying them on the web page to reduce the risk of xss vulnerabilities. --- lib/public/util.php | 12 ++++++++++++ lib/util.php | 17 ++++++++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/public/util.php b/lib/public/util.php index d79d3f26b1..7c0cb66607 100644 --- a/lib/public/util.php +++ b/lib/public/util.php @@ -264,6 +264,18 @@ class Util { public static function callCheck(){ return(\OC_Util::callCheck()); } + + /** + * @brief Used to sanitize HTML + * + * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page. + * + * @param string or array of strings + * @return array with sanitized strings or a single sinitized string, depends on the input parameter. + */ + public static function sanitizeHTML( $value ){ + return(\OC_Util::sanitizeHTML($value)); //Specify encoding for PHP<5.4 + } } ?> diff --git a/lib/util.php b/lib/util.php index 0266a8ecc5..bcfeb417c1 100755 --- a/lib/util.php +++ b/lib/util.php @@ -370,7 +370,7 @@ class OC_Util { $_SESSION['requesttoken-'.$token]=time(); // cleanup old tokens garbage collector - // only run every 20th time so we donīt waste cpu cycles + // only run every 20th time so we don't waste cpu cycles if(rand(0,20)==0) { foreach($_SESSION as $key=>$value) { // search all tokens in the session @@ -426,4 +426,19 @@ class OC_Util { exit; } } + + /** + * @brief Public function to sanitize HTML + * + * This function is used to sanitize HTML and should be applied on any string or array of strings before displaying it on a web page. + * + * @param string or array of strings + * @return array with sanitized strings or a single sinitized string, depends on the input parameter. + */ + public static function sanitizeHTML( &$value ){ + if (is_array($value) || is_object($value)) array_walk_recursive($value,'OC_Util::sanitizeHTML'); + else $value = htmlentities($value, ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4 + return $value; + } + } From 089ae980c40544de54a10d407fd366f61ef5ec48 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Tue, 19 Jun 2012 17:24:55 +0200 Subject: [PATCH 04/13] use new sanitize HTML function --- index.php | 2 +- lib/template.php | 8 +------- settings/admin.php | 2 +- settings/ajax/getlog.php | 2 +- settings/js/log.js | 2 +- 5 files changed, 5 insertions(+), 11 deletions(-) diff --git a/index.php b/index.php index 1171c0fe0c..e3c94adf66 100755 --- a/index.php +++ b/index.php @@ -122,7 +122,7 @@ elseif(OC_User::isLoggedIn()) { if(!array_key_exists('sectoken', $_SESSION) || (array_key_exists('sectoken', $_SESSION) && is_null(OC::$REQUESTEDFILE)) || substr(OC::$REQUESTEDFILE, -3) == 'php'){ $sectoken=rand(1000000,9999999); $_SESSION['sectoken']=$sectoken; - $redirect_url = (isset($_REQUEST['redirect_url'])) ? strip_tags($_REQUEST['redirect_url']) : $_SERVER['REQUEST_URI']; + $redirect_url = (isset($_REQUEST['redirect_url'])) ? OC_Util::sanitizeHTML($_REQUEST['redirect_url']) : $_SERVER['REQUEST_URI']; OC_Template::printGuestPage('', 'login', array('error' => $error, 'sectoken' => $sectoken, 'redirect' => $redirect_url)); } } diff --git a/lib/template.php b/lib/template.php index 77e9332d5b..75b33d8aac 100644 --- a/lib/template.php +++ b/lib/template.php @@ -308,13 +308,7 @@ class OC_Template{ * If the key existed before, it will be overwritten */ public function assign( $key, $value, $sanitizeHTML=true ){ - if($sanitizeHTML == true) { - if(is_array($value)) { - array_walk_recursive($value,'OC_Template::sanitizeHTML'); - } else { - $value = OC_Template::sanitizeHTML($value); - } - } + if($sanitizeHTML == true) $value=OC_Util::sanitizeHTML($value); $this->vars[$key] = $value; return true; } diff --git a/settings/admin.php b/settings/admin.php index 4cbd67c367..a997bad4e3 100644 --- a/settings/admin.php +++ b/settings/admin.php @@ -23,7 +23,7 @@ function compareEntries($a,$b){ usort($entries, 'compareEntries'); $tmpl->assign('loglevel',OC_Config::getValue( "loglevel", 2 )); -$tmpl->assign('entries',$entries,false); +$tmpl->assign('entries',$entries); $tmpl->assign('forms',array()); foreach($forms as $form){ $tmpl->append('forms',$form); diff --git a/settings/ajax/getlog.php b/settings/ajax/getlog.php index ed48b2cae1..d9e80de37b 100644 --- a/settings/ajax/getlog.php +++ b/settings/ajax/getlog.php @@ -14,4 +14,4 @@ $count=(isset($_GET['count']))?$_GET['count']:50; $offset=(isset($_GET['offset']))?$_GET['offset']:0; $entries=OC_Log_Owncloud::getEntries($count,$offset); -OC_JSON::success(array("data" => $entries)); +OC_JSON::success(array("data" => OC_Util::sanitizeHTML($entries))); diff --git a/settings/js/log.js b/settings/js/log.js index bde8b8b104..6063c7d9a9 100644 --- a/settings/js/log.js +++ b/settings/js/log.js @@ -39,7 +39,7 @@ OC.Log={ row.append(appTd); var messageTd=$(''); - messageTd.text(entry.message.replace(//, ">")); + messageTd.text(entry.message); row.append(messageTd); var timeTd=$(''); From 4b6f6291c524648ffaa77683d77b486bb467b7e8 Mon Sep 17 00:00:00 2001 From: Bart Visscher Date: Tue, 19 Jun 2012 17:54:19 +0200 Subject: [PATCH 05/13] Remember result of OC_User::isLoggedIn, can be very expensive to check --- lib/user.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/user.php b/lib/user.php index f1903093d6..23b88aa1d0 100644 --- a/lib/user.php +++ b/lib/user.php @@ -240,13 +240,17 @@ class OC_User { * Checks if the user is logged in */ public static function isLoggedIn(){ + static $is_login_checked = null; + if (!is_null($is_login_checked)) { + return $is_login_checked; + } if( isset($_SESSION['user_id']) AND $_SESSION['user_id']) { OC_App::loadApps(array('authentication')); if (self::userExists($_SESSION['user_id']) ){ - return true; + return $is_login_checked = true; } } - return false; + return $is_login_checked = false; } /** From f11e4d7cd6c5cae9a0be52dff0bb2f32e20e7099 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Tue, 19 Jun 2012 19:29:43 +0200 Subject: [PATCH 06/13] removing sanitizeHTML() function from template.php since I moved it to util.php to make it more generic. --- lib/template.php | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/lib/template.php b/lib/template.php index 75b33d8aac..8fb0133b28 100644 --- a/lib/template.php +++ b/lib/template.php @@ -313,17 +313,6 @@ class OC_Template{ return true; } - - /** - * @brief Internaly used to sanitze HTML - * - * This function is internally used to sanitize HTML. - */ - private static function sanitizeHTML( &$value ){ - $value = htmlentities( $value , ENT_QUOTES, 'UTF-8'); //Specify encoding for PHP<5.4 - return $value; - } - /** * @brief Appends a variable * @param $key key From 28a72e0e3c25ecf8cc5ab61a4398ab687072b203 Mon Sep 17 00:00:00 2001 From: Sam Tuke Date: Tue, 19 Jun 2012 19:42:40 +0100 Subject: [PATCH 07/13] Fixed deleteAll function for deleting all old versions of files (expireAll) Added new readdir() method to all storage classes and handlers (only working implementation in local.php) --- apps/files_archive/lib/storage.php | 1 + apps/files_sharing/sharedstorage.php | 2 + apps/files_versions/versions.php | 68 ++++++++++++++++++---------- lib/filestorage.php | 1 + lib/filestorage/local.php | 3 ++ lib/filesystem.php | 3 ++ lib/filesystemview.php | 4 ++ 7 files changed, 59 insertions(+), 23 deletions(-) diff --git a/apps/files_archive/lib/storage.php b/apps/files_archive/lib/storage.php index 8676166361..2f10d6a3e4 100644 --- a/apps/files_archive/lib/storage.php +++ b/apps/files_archive/lib/storage.php @@ -49,6 +49,7 @@ class OC_Filestorage_Archive extends OC_Filestorage_Common{ OC_FakeDirStream::$dirs[$id]=$content; return opendir('fakedir://'.$id); } + public function readdir($path){} public function stat($path){ $ctime=filectime($this->path); $path=$this->stripPath($path); diff --git a/apps/files_sharing/sharedstorage.php b/apps/files_sharing/sharedstorage.php index 1a6942ad16..9174334383 100644 --- a/apps/files_sharing/sharedstorage.php +++ b/apps/files_sharing/sharedstorage.php @@ -139,6 +139,8 @@ class OC_Filestorage_Shared extends OC_Filestorage { } } + public function readdir( $path ) {} + public function is_dir($path) { if ($path == "" || $path == "/") { return true; diff --git a/apps/files_versions/versions.php b/apps/files_versions/versions.php index 44ce7c635a..6feb0cbb9c 100644 --- a/apps/files_versions/versions.php +++ b/apps/files_versions/versions.php @@ -303,66 +303,88 @@ class Storage { */ public static function expireAll() { - function deleteAll($directory, $empty = false) { + function deleteAll( $directory, $empty = false ) { - if(substr($directory,-1) == "/") { - $directory = substr($directory,0,-1); + // strip leading slash + if( substr( $directory, 0, 1 ) == "/" ) { + + $directory = substr( $directory, 1 ); + + } + + // strip trailing slash + if( substr( $directory, -1) == "/" ) { + + $directory = substr( $directory, 0, -1 ); + } - if(!file_exists($directory) || !is_dir($directory)) { + $view = new \OC_FilesystemView(''); + + if ( !$view->file_exists( $directory ) || !$view->is_dir( $directory ) ) { return false; - } elseif(!is_readable($directory)) { + } elseif( !$view->is_readable( $directory ) ) { return false; } else { - $directoryHandle = opendir($directory); - - while ($contents = readdir($directoryHandle)) { + $foldername = \OCP\Config::getSystemValue('datadirectory') .'/' . \OCP\USER::getUser() .'/' . $directory; // have to set an absolute path for use with PHP's opendir as OC version doesn't work - if( $contents != '.' && $contents != '..') { + $directoryHandle = opendir( $foldername ); + + while ( $contents = $view->readdir( $directoryHandle ) ) { + + if ( $contents != '.' && $contents != '..') { $path = $directory . "/" . $contents; - if( is_dir($path) ) { + if ( $view->is_dir( $path ) ) { - deleteAll($path); + deleteAll( $path ); } else { - - unlink($path); + + $view->unlink( \OCP\USER::getUser() .'/' . $path ); // TODO: make unlink use same system path as is_dir } } } - closedir( $directoryHandle ); + //$view->closedir( $directoryHandle ); // TODO: implement closedir in OC_FSV - if( $empty == false ) { + if ( $empty == false ) { - if(!rmdir($directory)) { + if ( !$view->rmdir( $directory ) ) { return false; } - } + } return true; } } - - /* - // FIXME: make this path dynamic - $dir = '/home/samtuke/owncloud/git/oc5/data/admin/versions'; + + $dir = \OCP\Config::getSystemValue('files_versionsfolder', Storage::DEFAULTFOLDER); + + deleteAll( $dir, true ); - ( deleteAll( $dir, 1 ) ? return true : return false ); - */ +// if ( deleteAll( $dir, 1 ) ) { +// +// echo "

deleted ok

"; +// +// } else { +// +// echo "

not deleted

"; +// +// } + } diff --git a/lib/filestorage.php b/lib/filestorage.php index 71ef4aed00..bf353bb0cc 100644 --- a/lib/filestorage.php +++ b/lib/filestorage.php @@ -28,6 +28,7 @@ abstract class OC_Filestorage{ abstract public function mkdir($path); abstract public function rmdir($path); abstract public function opendir($path); + abstract public function readdir($path); abstract public function is_dir($path); abstract public function is_file($path); abstract public function stat($path); diff --git a/lib/filestorage/local.php b/lib/filestorage/local.php index 44a2ab0f63..27794fe17c 100644 --- a/lib/filestorage/local.php +++ b/lib/filestorage/local.php @@ -20,6 +20,9 @@ class OC_Filestorage_Local extends OC_Filestorage{ public function opendir($path){ return opendir($this->datadir.$path); } + public function readdir($handle){ + return readdir($handle); + } public function is_dir($path){ if(substr($path,-1)=='/'){ $path=substr($path,0,-1); diff --git a/lib/filesystem.php b/lib/filesystem.php index 89de533d72..0d0943d363 100644 --- a/lib/filesystem.php +++ b/lib/filesystem.php @@ -399,6 +399,9 @@ class OC_Filesystem{ static public function opendir($path){ return self::$defaultInstance->opendir($path); } + static public function readdir($path){ + return self::$defaultInstance->readdir($path); + } static public function is_dir($path){ return self::$defaultInstance->is_dir($path); } diff --git a/lib/filesystemview.php b/lib/filesystemview.php index 813a87cd74..da622bcf92 100644 --- a/lib/filesystemview.php +++ b/lib/filesystemview.php @@ -158,6 +158,10 @@ class OC_FilesystemView { public function opendir($path){ return $this->basicOperation('opendir',$path,array('read')); } + public function readdir($handle){ + $fsLocal= new OC_Filestorage_Local( array( 'datadir' => '/' ) ); + return $fsLocal->readdir( $handle ); + } public function is_dir($path){ if($path=='/'){ return true; From d8b32c2f0e962531fa36707faa6deed6ebb2e378 Mon Sep 17 00:00:00 2001 From: Bart Visscher Date: Tue, 19 Jun 2012 22:12:05 +0200 Subject: [PATCH 08/13] Move check code from setupFS to checkServer --- lib/util.php | 54 +++++++++++++++++++--------------------------------- 1 file changed, 20 insertions(+), 34 deletions(-) diff --git a/lib/util.php b/lib/util.php index bcfeb417c1..b6564468ff 100755 --- a/lib/util.php +++ b/lib/util.php @@ -19,41 +19,12 @@ class OC_Util { return false; } - $CONFIG_DATADIRECTORY_ROOT = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); - $CONFIG_BACKUPDIRECTORY = OC_Config::getValue( "backupdirectory", OC::$SERVERROOT."/backup" ); - - // Check if config folder is writable. - if(!is_writable(OC::$SERVERROOT."/config/")) { - $tmpl = new OC_Template( '', 'error', 'guest' ); - $tmpl->assign('errors',array(1=>array('error'=>"Can't write into config directory 'config'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"))); - $tmpl->printPage(); - exit; - } - - // Check if apps folder is writable. - if(OC_Config::getValue('writable_appsdir', true) && !is_writable(OC::$SERVERROOT."/apps/")) { - $tmpl = new OC_Template( '', 'error', 'guest' ); - $tmpl->assign('errors',array(1=>array('error'=>"Can't write into apps directory 'apps'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"))); - $tmpl->printPage(); - exit; - } - - // Create root dir. - if(!is_dir($CONFIG_DATADIRECTORY_ROOT)){ - $success=@mkdir($CONFIG_DATADIRECTORY_ROOT); - if(!$success) { - $tmpl = new OC_Template( '', 'error', 'guest' ); - $tmpl->assign('errors',array(1=>array('error'=>"Can't create data directory (".$CONFIG_DATADIRECTORY_ROOT.")",'hint'=>"You can usually fix this by giving the webserver write access to the ownCloud directory '".OC::$SERVERROOT."' (in a terminal, use the command 'chown -R www-data:www-data /path/to/your/owncloud/install/data' "))); - $tmpl->printPage(); - exit; - } - } - // If we are not forced to load a specific user we load the one that is logged in if( $user == "" && OC_User::isLoggedIn()){ $user = OC_User::getUser(); } + $CONFIG_DATADIRECTORY_ROOT = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); //first set up the local "root" storage if(!self::$rootMounted){ OC_Filesystem::mount('OC_Filestorage_Local',array('datadir'=>$CONFIG_DATADIRECTORY_ROOT),'/'); @@ -209,9 +180,6 @@ class OC_Util { * @return array arrays with error messages and hints */ public static function checkServer(){ - $CONFIG_DATADIRECTORY_ROOT = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); - $CONFIG_BACKUPDIRECTORY = OC_Config::getValue( "backupdirectory", OC::$SERVERROOT."/backup" ); - $CONFIG_INSTALLED = OC_Config::getValue( "installed", false ); $errors=array(); //check for database drivers @@ -224,6 +192,17 @@ class OC_Util { //common hint for all file permissons error messages $permissionsHint="Permissions can usually be fixed by giving the webserver write access to the ownCloud directory"; + // Check if config folder is writable. + if(!is_writable(OC::$SERVERROOT."/config/")) { + $errors[]=array('error'=>"Can't write into config directory 'config'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"); + } + + // Check if apps folder is writable. + if(OC_Config::getValue('writable_appsdir', true) && !is_writable(OC::$SERVERROOT."/apps/")) { + $errors[]=array('error'=>"Can't write into apps directory 'apps'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"); + } + + $CONFIG_DATADIRECTORY_ROOT = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); //check for correct file permissions if(!stristr(PHP_OS, 'WIN')){ $permissionsModHint="Please change the permissions to 0770 so that the directory cannot be listed by other users."; @@ -237,6 +216,7 @@ class OC_Util { } } if( OC_Config::getValue( "enablebackup", false )){ + $CONFIG_BACKUPDIRECTORY = OC_Config::getValue( "backupdirectory", OC::$SERVERROOT."/backup" ); $prems=substr(decoct(@fileperms($CONFIG_BACKUPDIRECTORY)),-3); if(substr($prems,-1)!='0'){ OC_Helper::chmodr($CONFIG_BACKUPDIRECTORY,0770); @@ -250,7 +230,13 @@ class OC_Util { }else{ //TODO: permissions checks for windows hosts } - if(is_dir($CONFIG_DATADIRECTORY_ROOT) and !is_writable($CONFIG_DATADIRECTORY_ROOT)){ + // Create root dir. + if(!is_dir($CONFIG_DATADIRECTORY_ROOT)){ + $success=@mkdir($CONFIG_DATADIRECTORY_ROOT); + if(!$success) { + $errors[]=array('error'=>"Can't create data directory (".$CONFIG_DATADIRECTORY_ROOT.")",'hint'=>"You can usually fix this by giving the webserver write access to the ownCloud directory '".OC::$SERVERROOT."' (in a terminal, use the command 'chown -R www-data:www-data /path/to/your/owncloud/install/data' "); + } + } else if(!is_writable($CONFIG_DATADIRECTORY_ROOT)){ $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY_ROOT.') not writable by ownCloud
','hint'=>$permissionsHint); } From f54ef5a464e3530da36f2ebe7f88052cac0c6ad0 Mon Sep 17 00:00:00 2001 From: Bart Visscher Date: Tue, 19 Jun 2012 22:50:28 +0200 Subject: [PATCH 09/13] Remove OC::$CONFIG_DATADIRECTORY, not used --- lib/base.php | 12 ------------ lib/files.php | 5 +---- lib/util.php | 34 +++++++++++++++++----------------- 3 files changed, 18 insertions(+), 33 deletions(-) diff --git a/lib/base.php b/lib/base.php index db55504117..6e209afebd 100644 --- a/lib/base.php +++ b/lib/base.php @@ -42,10 +42,6 @@ class OC{ * the owncloud root path for http requests (e.g. owncloud/) */ public static $WEBROOT = ''; - /** - * the folder that stores that data files for the filesystem of the user (e.g. /srv/http/owncloud/data/myusername/files) - */ - public static $CONFIG_DATADIRECTORY = ''; /** * The installation path of the 3rdparty folder on the server (e.g. /srv/http/owncloud/3rdparty) */ @@ -349,19 +345,11 @@ class OC{ exit; } - // TODO: we should get rid of this one, too - // WARNING: to make everything even more confusing, - // DATADIRECTORY is a var that changes and DATADIRECTORY_ROOT - // stays the same, but is set by "datadirectory". - // Any questions? - OC::$CONFIG_DATADIRECTORY = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); - // User and Groups if( !OC_Config::getValue( "installed", false )){ $_SESSION['user_id'] = ''; } - OC_User::useBackend( OC_Config::getValue( "userbackend", "database" )); OC_Group::useBackend(new OC_Group_Database()); diff --git a/lib/files.php b/lib/files.php index 3ecf08739b..469c3a15b8 100644 --- a/lib/files.php +++ b/lib/files.php @@ -30,12 +30,9 @@ class OC_Files { /** * get the content of a directory - * @param dir $directory + * @param dir $directory path under datadirectory */ public static function getDirectoryContent($directory, $mimetype_filter = ''){ - if(strpos($directory,OC::$CONFIG_DATADIRECTORY)===0){ - $directory=substr($directory,strlen(OC::$CONFIG_DATADIRECTORY)); - } $files=OC_FileCache::getFolderContent($directory, false, $mimetype_filter); foreach($files as &$file){ $file['directory']=$directory; diff --git a/lib/util.php b/lib/util.php index b6564468ff..5492587862 100755 --- a/lib/util.php +++ b/lib/util.php @@ -24,16 +24,16 @@ class OC_Util { $user = OC_User::getUser(); } - $CONFIG_DATADIRECTORY_ROOT = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); + $CONFIG_DATADIRECTORY = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); //first set up the local "root" storage if(!self::$rootMounted){ - OC_Filesystem::mount('OC_Filestorage_Local',array('datadir'=>$CONFIG_DATADIRECTORY_ROOT),'/'); + OC_Filesystem::mount('OC_Filestorage_Local',array('datadir'=>$CONFIG_DATADIRECTORY),'/'); self::$rootMounted=true; } if( $user != "" ){ //if we aren't logged in, there is no use to set up the filesystem - OC::$CONFIG_DATADIRECTORY = $CONFIG_DATADIRECTORY_ROOT."/$user/$root"; - if( !is_dir( OC::$CONFIG_DATADIRECTORY )){ - mkdir( OC::$CONFIG_DATADIRECTORY, 0755, true ); + $userdirectory = $CONFIG_DATADIRECTORY."/$user/$root"; + if( !is_dir( $userdirectory )){ + mkdir( $userdirectory, 0755, true ); } //jail the user into his "home" directory @@ -42,8 +42,8 @@ class OC_Util { OC_FileProxy::register($quotaProxy); self::$fsSetup=true; // Load personal mount config - if (is_file($CONFIG_DATADIRECTORY_ROOT.'/'.$user.'/mount.php')) { - $mountConfig = include($CONFIG_DATADIRECTORY_ROOT.'/'.$user.'/mount.php'); + if (is_file($CONFIG_DATADIRECTORY.'/'.$user.'/mount.php')) { + $mountConfig = include($CONFIG_DATADIRECTORY.'/'.$user.'/mount.php'); if (isset($mountConfig['user'][$user])) { foreach ($mountConfig['user'][$user] as $mountPoint => $options) { OC_Filesystem::mount($options['class'], $options['options'], $mountPoint); @@ -202,17 +202,17 @@ class OC_Util { $errors[]=array('error'=>"Can't write into apps directory 'apps'",'hint'=>"You can usually fix this by giving the webserver user write access to the config directory in owncloud"); } - $CONFIG_DATADIRECTORY_ROOT = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); + $CONFIG_DATADIRECTORY = OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ); //check for correct file permissions if(!stristr(PHP_OS, 'WIN')){ $permissionsModHint="Please change the permissions to 0770 so that the directory cannot be listed by other users."; - $prems=substr(decoct(@fileperms($CONFIG_DATADIRECTORY_ROOT)),-3); + $prems=substr(decoct(@fileperms($CONFIG_DATADIRECTORY)),-3); if(substr($prems,-1)!='0'){ - OC_Helper::chmodr($CONFIG_DATADIRECTORY_ROOT,0770); + OC_Helper::chmodr($CONFIG_DATADIRECTORY,0770); clearstatcache(); - $prems=substr(decoct(@fileperms($CONFIG_DATADIRECTORY_ROOT)),-3); + $prems=substr(decoct(@fileperms($CONFIG_DATADIRECTORY)),-3); if(substr($prems,2,1)!='0'){ - $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY_ROOT.') is readable for other users
','hint'=>$permissionsModHint); + $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY.') is readable for other users
','hint'=>$permissionsModHint); } } if( OC_Config::getValue( "enablebackup", false )){ @@ -231,13 +231,13 @@ class OC_Util { //TODO: permissions checks for windows hosts } // Create root dir. - if(!is_dir($CONFIG_DATADIRECTORY_ROOT)){ - $success=@mkdir($CONFIG_DATADIRECTORY_ROOT); + if(!is_dir($CONFIG_DATADIRECTORY)){ + $success=@mkdir($CONFIG_DATADIRECTORY); if(!$success) { - $errors[]=array('error'=>"Can't create data directory (".$CONFIG_DATADIRECTORY_ROOT.")",'hint'=>"You can usually fix this by giving the webserver write access to the ownCloud directory '".OC::$SERVERROOT."' (in a terminal, use the command 'chown -R www-data:www-data /path/to/your/owncloud/install/data' "); + $errors[]=array('error'=>"Can't create data directory (".$CONFIG_DATADIRECTORY.")",'hint'=>"You can usually fix this by giving the webserver write access to the ownCloud directory '".OC::$SERVERROOT."' (in a terminal, use the command 'chown -R www-data:www-data /path/to/your/owncloud/install/data' "); } - } else if(!is_writable($CONFIG_DATADIRECTORY_ROOT)){ - $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY_ROOT.') not writable by ownCloud
','hint'=>$permissionsHint); + } else if(!is_writable($CONFIG_DATADIRECTORY)){ + $errors[]=array('error'=>'Data directory ('.$CONFIG_DATADIRECTORY.') not writable by ownCloud
','hint'=>$permissionsHint); } // check if all required php modules are present From 13a9ef36fb7bf7706af545cbe227296fa005403c Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Wed, 20 Jun 2012 11:34:17 +0200 Subject: [PATCH 10/13] don't show other users file if the filesystem is not index already --- lib/filecache/cached.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/filecache/cached.php b/lib/filecache/cached.php index a22adad452..17a792a23d 100644 --- a/lib/filecache/cached.php +++ b/lib/filecache/cached.php @@ -55,6 +55,9 @@ class OC_FileCache_Cached{ $root=OC_Filesystem::getRoot(); } $parent=OC_FileCache::getId($path,$root); + if($parent==-1){ + return array(); + } $query=OC_DB::prepare('SELECT path,name,ctime,mtime,mimetype,size,encrypted,versioned,writable FROM *PREFIX*fscache WHERE parent=? AND (mimetype LIKE ? OR mimetype = ?)'); $result=$query->execute(array($parent, $mimetype_filter.'%', 'httpd/unix-directory'))->fetchAll(); if(is_array($result)){ From 8d89bba07cc1add9d464a63a360c9338099e3d30 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Wed, 20 Jun 2012 12:23:26 +0200 Subject: [PATCH 11/13] use new sanitizeHTML() function --- apps/media/js/collection.js | 10 +++++----- apps/media/lib_scanner.php | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/apps/media/js/collection.js b/apps/media/js/collection.js index 03d577c7c9..161fc0c681 100644 --- a/apps/media/js/collection.js +++ b/apps/media/js/collection.js @@ -97,13 +97,13 @@ Collection={ if(artist.name && artist.songs.length>0){ var tr=template.clone().removeClass('template'); if(artist.songs.length>1){ - tr.find('td.title a').text(artist.songs.length+' '+t('media','songs')); - tr.find('td.album a').text(artist.albums.length+' '+t('media','albums')); + tr.find('td.title a').html(artist.songs.length+' '+t('media','songs')); + tr.find('td.album a').html(artist.albums.length+' '+t('media','albums')); }else{ - tr.find('td.title a').text(artist.songs[0].name); - tr.find('td.album a').text(artist.albums[0].name); + tr.find('td.title a').html(artist.songs[0].name); + tr.find('td.album a').html(artist.albums[0].name); } - tr.find('td.artist a').text(artist.name); + tr.find('td.artist a').html(artist.name); tr.data('artistData',artist); tr.find('td.artist a').click(function(event){ event.preventDefault(); diff --git a/apps/media/lib_scanner.php b/apps/media/lib_scanner.php index 82170e5ca8..a8218c3a4d 100644 --- a/apps/media/lib_scanner.php +++ b/apps/media/lib_scanner.php @@ -79,19 +79,19 @@ class OC_MEDIA_SCANNER{ OCP\Util::writeLog('media',"error reading artist tag in '$file'",OCP\Util::WARN); $artist='unknown'; }else{ - $artist=strip_tags(stripslashes($data['comments']['artist'][0])); + $artist=OCP\Util::sanitizeHTML(stripslashes($data['comments']['artist'][0])); } if(!isset($data['comments']['album'])){ OCP\Util::writeLog('media',"error reading album tag in '$file'",OCP\Util::WARN); $album='unknown'; }else{ - $album=strip_tags(stripslashes($data['comments']['album'][0])); + $album=OCP\Util::sanitizeHTML(stripslashes($data['comments']['album'][0])); } if(!isset($data['comments']['title'])){ OCP\Util::writeLog('media',"error reading title tag in '$file'",OCP\Util::WARN); $title='unknown'; }else{ - $title=strip_tags(stripslashes($data['comments']['title'][0])); + $title=OCP\Util::sanitizeHTML(stripslashes($data['comments']['title'][0])); } $size=$data['filesize']; if (isset($data['comments']['track'])) From 7c6b8475ebf99ef87543bc77f0d2440c046befcf Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Tue, 19 Jun 2012 01:15:58 +0200 Subject: [PATCH 12/13] LDAP: only map users within the User Base Tree --- apps/user_ldap/group_ldap.php | 4 +++- apps/user_ldap/lib_ldap.php | 10 ++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 78bc5b4656..a3117b5a41 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -166,7 +166,9 @@ class OC_GROUP_LDAP extends OC_Group_Backend { $result[] = OC_LDAP::dn2username($ldap_users[0]); continue; } else { - $result[] = OC_LDAP::dn2username($member); + if($ocname = OC_LDAP::dn2username($member)){ + $result[] = $ocname; + } } } if(!$isMemberUid) { diff --git a/apps/user_ldap/lib_ldap.php b/apps/user_ldap/lib_ldap.php index befdf267bc..6feb6d3c65 100644 --- a/apps/user_ldap/lib_ldap.php +++ b/apps/user_ldap/lib_ldap.php @@ -166,11 +166,14 @@ class OC_LDAP { * @brief returns the internal ownCloud name for the given LDAP DN of the group * @param $dn the dn of the group object * @param $ldapname optional, the display name of the object - * @returns string with with the name to use in ownCloud + * @returns string with with the name to use in ownCloud, false on DN outside of search DN * * returns the internal ownCloud name for the given LDAP DN of the group */ static public function dn2groupname($dn, $ldapname = null) { + if(strrpos($dn, self::ldapBaseGroups) !== (strlen($dn)-strlen(self::ldapBaseGroups)-1)) { + return false; + } return self::dn2ocname($dn, $ldapname, false); } @@ -180,9 +183,12 @@ class OC_LDAP { * @param $ldapname optional, the display name of the object * @returns string with with the name to use in ownCloud * - * returns the internal ownCloud name for the given LDAP DN of the user + * returns the internal ownCloud name for the given LDAP DN of the user, false on DN outside of search DN */ static public function dn2username($dn, $ldapname = null) { + if(strrpos($dn, self::ldapBaseUsers) !== (strlen($dn)-strlen(self::ldapBaseUsers)-1)) { + return false; + } return self::dn2ocname($dn, $ldapname, true); } From 5b02217906a44312ffe43a97124a6ad2f0707aef Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 20 Jun 2012 12:41:30 +0200 Subject: [PATCH 13/13] forgotten $, incorrect subtract --- apps/user_ldap/lib_ldap.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/user_ldap/lib_ldap.php b/apps/user_ldap/lib_ldap.php index 6feb6d3c65..aa104eb512 100644 --- a/apps/user_ldap/lib_ldap.php +++ b/apps/user_ldap/lib_ldap.php @@ -171,7 +171,7 @@ class OC_LDAP { * returns the internal ownCloud name for the given LDAP DN of the group */ static public function dn2groupname($dn, $ldapname = null) { - if(strrpos($dn, self::ldapBaseGroups) !== (strlen($dn)-strlen(self::ldapBaseGroups)-1)) { + if(strrpos($dn, self::$ldapBaseGroups) !== (strlen($dn)-strlen(self::$ldapBaseGroups))) { return false; } return self::dn2ocname($dn, $ldapname, false); @@ -186,7 +186,7 @@ class OC_LDAP { * returns the internal ownCloud name for the given LDAP DN of the user, false on DN outside of search DN */ static public function dn2username($dn, $ldapname = null) { - if(strrpos($dn, self::ldapBaseUsers) !== (strlen($dn)-strlen(self::ldapBaseUsers)-1)) { + if(strrpos($dn, self::$ldapBaseUsers) !== (strlen($dn)-strlen(self::$ldapBaseUsers))) { return false; } return self::dn2ocname($dn, $ldapname, true);