verify the path in the autoloader

lib/autoloader.php

@@ -34,12 +34,33 @@ class Autoloader {
 
 	private $classPaths = array();
 
+	private $validRoots = [];
+
 	/**
 	 * Optional low-latency memory cache for class to path mapping.
+	 *
 	 * @var \OC\Memcache\Cache
 	 */
 	protected $memoryCache;
 
+	/**
+	 * Autoloader constructor.
+	 *
+	 * @param string[] $validRoots
+	 */
+	public function __construct(array $validRoots) {
+		$this->validRoots = $validRoots;
+	}
+
+	/**
+	 * Add a path to the list of valid php roots for auto loading
+	 *
+	 * @param string $root
+	 */
+	public function addValidRoot($root) {
+		$this->validRoots[] = $root;
+	}
+
 	/**
 	 * disable the usage of the global classpath \OC::$CLASSPATH
 	 */
@@ -102,6 +123,15 @@ class Autoloader {
 		return $paths;
 	}
 
+	protected function isValidPath($fullPath) {
+		foreach ($this->validRoots as $root) {
+			if (substr($fullPath, 0, strlen($root) + 1) === $root . '/') {
+				return true;
+			}
+		}
+		throw new \Exception('Path not allowed');
+	}
+
 	/**
 	 * Load the specified class
 	 *
@@ -119,7 +149,7 @@ class Autoloader {
 			$pathsToRequire = array();
 			foreach ($this->findClass($class) as $path) {
 				$fullPath = stream_resolve_include_path($path);
-				if ($fullPath) {
+				if ($fullPath && $this->isValidPath($fullPath)) {
 					$pathsToRequire[] = $fullPath;
 				}
 			}
@@ -138,6 +168,7 @@ class Autoloader {
 
 	/**
 	 * Sets the optional low-latency cache for class to path mapping.
+	 *
 	 * @param \OC\Memcache\Cache $memoryCache Instance of memory cache.
 	 */
 	public function setMemoryCache(\OC\Memcache\Cache $memoryCache = null) {

lib/base.php

@@ -115,9 +115,6 @@ class OC {
 	 * the app path list is empty or contains an invalid path
 	 */
 	public static function initPaths() {
-		// calculate the root directories
-		OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));
-
 		// ensure we can find OC_Config
 		set_include_path(
 			OC::$SERVERROOT . '/lib' . PATH_SEPARATOR .
@@ -519,10 +516,20 @@ class OC {
 	}
 
 	public static function init() {
+		// calculate the root directories
+		OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));
+
 		// register autoloader
 		$loaderStart = microtime(true);
 		require_once __DIR__ . '/autoloader.php';
-		self::$loader = new \OC\Autoloader();
+		self::$loader = new \OC\Autoloader([
+			OC::$SERVERROOT . '/lib',
+			OC::$SERVERROOT . '/core',
+			OC::$SERVERROOT . '/settings',
+			OC::$SERVERROOT . '/ocs',
+			OC::$SERVERROOT . '/ocs-provider',
+			OC::$SERVERROOT . '/3rdparty'
+		]);
 		spl_autoload_register(array(self::$loader, 'load'));
 		$loaderEnd = microtime(true);
 
@@ -545,6 +552,10 @@ class OC {
 			exit();
 		}
 
+		foreach(OC::$APPSROOTS as $appRoot) {
+			self::$loader->addValidRoot($appRoot['path']);
+		}
+
 		// setup the basic server
 		self::$server = new \OC\Server(\OC::$WEBROOT);
 		\OC::$server->getEventLogger()->log('autoloader', 'Autoloader', $loaderStart, $loaderEnd);

tests/bootstrap.php

@@ -8,6 +8,8 @@ if ($configDir) {
 
 require_once __DIR__ . '/../lib/base.php';
 
+\OC::$loader->addValidRoot(OC::$SERVERROOT . '/tests');
+
 // load minimum set of apps
 OC_App::loadApps(array('authentication'));
 OC_App::loadApps(array('filesystem', 'logging'));

tests/lib/autoloader.php

@@ -16,7 +16,7 @@ class AutoLoader extends TestCase {
 
 	protected function setUp() {
 		parent::setUp();
-		$this->loader = new \OC\AutoLoader();
+		$this->loader = new \OC\AutoLoader([]);
 	}
 
 	public function testLeadingSlashOnClassName() {

tests/lib/template.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * ownCloud
  *
@@ -19,13 +20,12 @@
  * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
  *
  */
-
 class Test_TemplateFunctions extends \Test\TestCase {
 
 	protected function setUp() {
 		parent::setUp();
 
-		$loader = new \OC\Autoloader();
+		$loader = new \OC\Autoloader([OC::$SERVERROOT . '/lib']);
 		$loader->load('OC_Template');
 	}