[Pkg-owncloud-commits] [owncloud] 341/394: Remove invalid characters from app id to prevent loading of invalid ressources.

David Prévot taffit at alioth.debian.org
Fri Nov 8 23:12:45 UTC 2013 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to annotated tag v4.5.10
in repository owncloud.

commit ece08cd03e56936e2faa752a7390c86645fe9ba7
Author: Lukas Reschke <lukas at statuscode.ch>
Date:   Mon Feb 11 21:44:26 2013 +0100

    Remove invalid characters from app id to prevent loading of invalid ressources.
    
    Backport of #1569
---
 core/ajax/translations.php   |    1 +
 lib/app.php                  |    9 +++++++++
 settings/ajax/disableapp.php |    2 +-
 settings/ajax/enableapp.php  |    2 +-
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/core/ajax/translations.php b/core/ajax/translations.php
index 75679da..c84e778 100644
--- a/core/ajax/translations.php
+++ b/core/ajax/translations.php
@@ -25,6 +25,7 @@
 require_once '../../lib/base.php';
 
 $app = $_POST["app"];
+$app = OC_App::cleanAppId($app);
 
 $l = OC_L10N::get( $app );
 
diff --git a/lib/app.php b/lib/app.php
index e0a99cf..c27aae0 100755
--- a/lib/app.php
+++ b/lib/app.php
@@ -38,6 +38,15 @@ class OC_App{
 	static private $checkedApps = array();
 	static private $altLogin = array();
 
+ 	/**
+	 * @brief clean the appid
+	 * @param $app Appid that needs to be cleaned
+	 * @return string
+	 */
+	public static function cleanAppId($app) {
+		return str_replace(array('\0', '/', '\\', '..'), '', $app);
+	}
+
 	/**
 	 * @brief loads all apps
 	 * @param array $types
diff --git a/settings/ajax/disableapp.php b/settings/ajax/disableapp.php
index 977a536..89c89d9 100644
--- a/settings/ajax/disableapp.php
+++ b/settings/ajax/disableapp.php
@@ -5,6 +5,6 @@ OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();
 
-OC_App::disable($_POST['appid']);
+OC_App::disable(OC_App::cleanAppId($_POST['appid']));
 
 OC_JSON::success();
diff --git a/settings/ajax/enableapp.php b/settings/ajax/enableapp.php
index c3b3491..a9e3fe4 100644
--- a/settings/ajax/enableapp.php
+++ b/settings/ajax/enableapp.php
@@ -6,7 +6,7 @@ OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();
 
-$appid = OC_App::enable($_POST['appid']);
+$appid = OC_App::enable(OC_App::cleanAppId($_POST['appid']));
 if($appid !== false) {
 	OC_JSON::success(array('data' => array('appid' => $appid)));
 } else {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

More information about the Pkg-owncloud-commits mailing list