[Pkg-owncloud-commits] [owncloud] 30/394: check for filename blacklist in OC_Filesystem::isValidPath
David Prévot
taffit at alioth.debian.org
Fri Nov 8 23:11:20 UTC 2013
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to annotated tag v4.5.10
in repository owncloud.
commit f599267459792e46503c42517e47017b57ae1cbe
Author: Robin Appelman <icewind at owncloud.com>
Date: Sat Nov 3 00:21:10 2012 +0100
check for filename blacklist in OC_Filesystem::isValidPath
---
lib/filesystem.php | 15 ++++++++++-----
tests/lib/filesystem.php | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+), 5 deletions(-)
diff --git a/lib/filesystem.php b/lib/filesystem.php
index 45b039f..2111816 100644
--- a/lib/filesystem.php
+++ b/lib/filesystem.php
@@ -403,6 +403,9 @@ class OC_Filesystem{
if(strstr($path,'/../') || strrchr($path, '/') === '/..' ) {
return false;
}
+ if(self::isFileBlacklisted($path)){
+ return false;
+ }
return true;
}
@@ -412,20 +415,22 @@ class OC_Filesystem{
* @param array $data from hook
*/
static public function isBlacklisted($data) {
- $blacklist = array('.htaccess');
if (isset($data['path'])) {
$path = $data['path'];
} else if (isset($data['newpath'])) {
$path = $data['newpath'];
}
if (isset($path)) {
- $filename = strtolower(basename($path));
- if (in_array($filename, $blacklist)) {
- $data['run'] = false;
- }
+ $data['run'] = !self::isFileBlacklisted($path);
}
}
+ static public function isFileBlacklisted($path){
+ $blacklist = array('.htaccess');
+ $filename = strtolower(basename($path));
+ return in_array($filename, $blacklist);
+ }
+
/**
* following functions are equivilent to their php buildin equivilents for arguments/return values.
*/
diff --git a/tests/lib/filesystem.php b/tests/lib/filesystem.php
index a13b80c..1fc2c27 100644
--- a/tests/lib/filesystem.php
+++ b/tests/lib/filesystem.php
@@ -72,6 +72,41 @@ class Test_Filesystem extends UnitTestCase {
}
}
+ public function testBlacklist() {
+ OC_Hook::clear('OC_Filesystem');
+ OC_Hook::connect('OC_Filesystem', 'write', 'OC_Filesystem', 'isBlacklisted');
+ OC_Hook::connect('OC_Filesystem', 'rename', 'OC_Filesystem', 'isBlacklisted');
+
+ $run = true;
+ OC_Hook::emit(
+ OC_Filesystem::CLASSNAME,
+ OC_Filesystem::signal_write,
+ array(
+ OC_Filesystem::signal_param_path => '/test/.htaccess',
+ OC_Filesystem::signal_param_run => &$run
+ )
+ );
+ $this->assertFalse($run);
+
+ if (OC_Filesystem::getView()) {
+ $user = OC_User::getUser();
+ } else {
+ $user = uniqid();
+ OC_Filesystem::init('/' . $user . '/files');
+ }
+
+ OC_Filesystem::mount('OC_Filestorage_Temporary', array(), '/');
+
+ $rootView = new OC_FilesystemView('');
+ $rootView->mkdir('/' . $user);
+ $rootView->mkdir('/' . $user . '/files');
+
+ $this->assertFalse($rootView->file_put_contents('/.htaccess', 'foo'));
+ $this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', 'foo'));
+ $fh = fopen(__FILE__, 'r');
+ $this->assertFalse(OC_Filesystem::file_put_contents('/.htaccess', $fh));
+ }
+
public function testHooks() {
if(OC_Filesystem::getView()){
$user = OC_User::getUser();
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git
More information about the Pkg-owncloud-commits
mailing list