From f74525c349c501c750d35e43153c862cf56a0221 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Sun, 26 Jul 2015 19:13:31 +0200 Subject: [PATCH 1/2] check if the user is trying to scan a valid path --- lib/private/files/utils/scanner.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/private/files/utils/scanner.php b/lib/private/files/utils/scanner.php index 3d68eb530a..c70f4beb31 100644 --- a/lib/private/files/utils/scanner.php +++ b/lib/private/files/utils/scanner.php @@ -131,6 +131,9 @@ class Scanner extends PublicEmitter { * @throws \OC\ForbiddenException */ public function scan($dir = '') { + if (!Filesystem::isValidPath($dir)) { + throw new \InvalidArgumentException('Invalid path to scan'); + } $mounts = $this->getMounts($dir); foreach ($mounts as $mount) { if (is_null($mount->getStorage())) { From c20d4d1a0bf2a57754c675218a458365df2742ff Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Mon, 27 Jul 2015 11:18:41 +0200 Subject: [PATCH 2/2] Add unit tests --- tests/lib/files/utils/scanner.php | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/lib/files/utils/scanner.php b/tests/lib/files/utils/scanner.php index ca64b1db72..75cd75ee3f 100644 --- a/tests/lib/files/utils/scanner.php +++ b/tests/lib/files/utils/scanner.php @@ -189,4 +189,32 @@ class Scanner extends \Test\TestCase { $newInfo = $cache->get(''); $this->assertNotEquals($oldInfo['etag'], $newInfo['etag']); } + + /** + * @return array + */ + public function invalidPathProvider() { + return [ + [ + '../', + ], + [ + '..\\', + ], + [ + '../..\\../', + ], + ]; + } + + /** + * @dataProvider invalidPathProvider + * @expectedException \InvalidArgumentException + * @expectedExceptionMessage Invalid path to scan + * @param string $invalidPath + */ + public function testInvalidPathScanning($invalidPath) { + $scanner = new TestScanner('', \OC::$server->getDatabaseConnection()); + $scanner->scan($invalidPath); + } }