[Pkg-owncloud-commits] [owncloud] 02/03: Check if username is valid and remove slashes from filename

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to annotated tag v4.0.13
in repository owncloud.

commit 7b6a02226c91b66abc24333d6311eb20e085d4b1
Author: Lukas Reschke <lukas at statuscode.ch>
Date:   Mon Mar 11 16:48:13 2013 +0100

    Check if username is valid and remove slashes from filename
    
    Backport of #2236 to stable4
---
 lib/migrate.php |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/migrate.php b/lib/migrate.php
index 41ea200..394c212 100644
--- a/lib/migrate.php
+++ b/lib/migrate.php
@@ -234,11 +234,20 @@ class OC_Migrate{
 					OC_Log::write( 'migration', 'User doesn\'t exist', OC_Log::ERROR );
 					return json_encode( array( 'success' => false ) );
 				}
+
+				// Check if the username is valid
+				if( preg_match( '/[^a-zA-Z0-9 _\.@\-]/', $json->exporteduser )) {
+					OC_Log::write( 'migration', 'Username is not valid', OC_Log::ERROR );
+					return json_encode( array( 'success' => false ) );
+				}
+
 				// Copy data
 				$userfolder = $extractpath . $json->exporteduser;
 				$newuserfolder = $datadir . '/' . self::$uid;
 				foreach(scandir($userfolder) as $file){
-					if($file !== '.' && $file !== '..' && is_dir($file)){
+					if($file !== '.' && $file !== '..' && is_dir($file)) {
+						$file = str_replace(array('/', '\\'), '',  $file);
+
 						// Then copy the folder over
 						OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
 					}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git