From efc030aa25b047a7c9f720cf781f26cbe1d274e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Schie=C3=9Fle?= Date: Wed, 9 Dec 2015 12:00:00 +0100 Subject: [PATCH] don't allow to create a federated share if source and target server are the same --- apps/files_sharing/ajax/external.php | 8 ++++++ lib/private/share/helper.php | 34 +++++++++++++++++++++++++ lib/private/share/share.php | 13 ++++++++-- tests/lib/share/helper.php | 37 ++++++++++++++++++++++++++++ 4 files changed, 90 insertions(+), 2 deletions(-) diff --git a/apps/files_sharing/ajax/external.php b/apps/files_sharing/ajax/external.php index 0f8a3d56cf..65861ac6a0 100644 --- a/apps/files_sharing/ajax/external.php +++ b/apps/files_sharing/ajax/external.php @@ -49,6 +49,14 @@ if(!\OCP\Util::isValidFileName($name)) { exit(); } +$currentUser = \OC::$server->getUserSession()->getUser()->getUID(); +$currentServer = \OC::$server->getURLGenerator()->getAbsoluteURL('/'); +if (\OC\Share\Helper::isSameUserOnSameServer($owner, $remote, $currentUser, $currentServer )) { + \OCP\JSON::error(array('data' => array('message' => $l->t('Not allowed to create a federated share with the same user server')))); + exit(); +} + + $externalManager = new \OCA\Files_Sharing\External\Manager( \OC::$server->getDatabaseConnection(), \OC\Files\Filesystem::getMountManager(), diff --git a/lib/private/share/helper.php b/lib/private/share/helper.php index 26bbca8131..0441647df8 100644 --- a/lib/private/share/helper.php +++ b/lib/private/share/helper.php @@ -289,4 +289,38 @@ class Helper extends \OC\Share\Constants { $hint = $l->t('Invalid Federated Cloud ID'); throw new HintException('Invalid Fededrated Cloud ID', $hint); } + + /** + * check if two federated cloud IDs refer to the same user + * + * @param string $user1 + * @param string $server1 + * @param string $user2 + * @param string $server2 + * @return bool true if both users and servers are the same + */ + public static function isSameUserOnSameServer($user1, $server1, $user2, $server2) { + $normalizedServer1 = strtolower(\OC\Share\Share::removeProtocolFromUrl($server1)); + $normalizedServer2 = strtolower(\OC\Share\Share::removeProtocolFromUrl($server2)); + + if (rtrim($normalizedServer1, '/') === rtrim($normalizedServer2, '/')) { + // FIXME this should be a method in the user management instead + \OCP\Util::emitHook( + '\OCA\Files_Sharing\API\Server2Server', + 'preLoginNameUsedAsUserName', + array('uid' => &$user1) + ); + \OCP\Util::emitHook( + '\OCA\Files_Sharing\API\Server2Server', + 'preLoginNameUsedAsUserName', + array('uid' => &$user2) + ); + + if ($user1 === $user2) { + return true; + } + } + + return false; + } } diff --git a/lib/private/share/share.php b/lib/private/share/share.php index 3edffba8a3..fff437b3ff 100644 --- a/lib/private/share/share.php +++ b/lib/private/share/share.php @@ -849,11 +849,20 @@ class Share extends Constants { throw new \Exception($message_t); } + // don't allow federated shares if source and target server are the same + list($user, $remote) = Helper::splitUserRemote($shareWith); + $currentServer = self::removeProtocolFromUrl(\OC::$server->getURLGenerator()->getAbsoluteURL('/')); + $currentUser = \OC::$server->getUserSession()->getUser()->getUID(); + if (Helper::isSameUserOnSameServer($user, $remote, $currentUser, $currentServer)) { + $message = 'Not allowed to create a federated share with the same user.'; + $message_t = $l->t('Not allowed to create a federated share with the same user'); + \OCP\Util::writeLog('OCP\Share', $message, \OCP\Util::DEBUG); + throw new \Exception($message_t); + } $token = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(self::TOKEN_LENGTH, \OCP\Security\ISecureRandom::CHAR_LOWER . \OCP\Security\ISecureRandom::CHAR_UPPER . \OCP\Security\ISecureRandom::CHAR_DIGITS); - list($user, $remote) = Helper::splitUserRemote($shareWith); $shareWith = $user . '@' . $remote; $shareId = self::put($itemType, $itemSource, $shareType, $shareWith, $uidOwner, $permissions, null, $token, $itemSourceName); @@ -2510,7 +2519,7 @@ class Share extends Constants { * @param string $url * @return string */ - private static function removeProtocolFromUrl($url) { + public static function removeProtocolFromUrl($url) { if (strpos($url, 'https://') === 0) { return substr($url, strlen('https://')); } else if (strpos($url, 'http://') === 0) { diff --git a/tests/lib/share/helper.php b/tests/lib/share/helper.php index e37a3db8bf..eaa29c8cb9 100644 --- a/tests/lib/share/helper.php +++ b/tests/lib/share/helper.php @@ -19,6 +19,10 @@ * License along with this library. If not, see . */ +/** + * @group DB + * Class Test_Share_Helper + */ class Test_Share_Helper extends \Test\TestCase { public function expireDateProvider() { @@ -121,4 +125,37 @@ class Test_Share_Helper extends \Test\TestCase { public function testSplitUserRemoteError($id) { \OC\Share\Helper::splitUserRemote($id); } + + /** + * @dataProvider dataTestCompareServerAddresses + * + * @param string $server1 + * @param string $server2 + * @param bool $expected + */ + public function testIsSameUserOnSameServer($user1, $server1, $user2, $server2, $expected) { + $this->assertSame($expected, + \OC\Share\Helper::isSameUserOnSameServer($user1, $server1, $user2, $server2) + ); + } + + public function dataTestCompareServerAddresses() { + return [ + ['user1', 'http://server1', 'user1', 'http://server1', true], + ['user1', 'https://server1', 'user1', 'http://server1', true], + ['user1', 'http://serVer1', 'user1', 'http://server1', true], + ['user1', 'http://server1/', 'user1', 'http://server1', true], + ['user1', 'server1', 'user1', 'http://server1', true], + ['user1', 'http://server1', 'user1', 'http://server2', false], + ['user1', 'https://server1', 'user1', 'http://server2', false], + ['user1', 'http://serVer1', 'user1', 'http://serer2', false], + ['user1', 'http://server1/', 'user1', 'http://server2', false], + ['user1', 'server1', 'user1', 'http://server2', false], + ['user1', 'http://server1', 'user2', 'http://server1', false], + ['user1', 'https://server1', 'user2', 'http://server1', false], + ['user1', 'http://serVer1', 'user2', 'http://server1', false], + ['user1', 'http://server1/', 'user2', 'http://server1', false], + ['user1', 'server1', 'user2', 'http://server1', false], + ]; + } }