[Pkg-owncloud-commits] [owncloud] 14/42: don't use the user id within the versions preview call as it could be used to access previews of another user

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository owncloud.

commit 464b31157efc766f1b50849a8e1af56f8b5d384f
Author: Thomas Müller <thomas.mueller at tmit.eu>
Date:   Tue Jan 21 13:50:56 2014 +0100

    don't use the user id within the versions preview call as it could be used to access previews of another user
---
 apps/files_versions/ajax/getVersions.php |  2 +-
 apps/files_versions/ajax/preview.php     | 10 ++--------
 apps/files_versions/lib/versions.php     | 17 +++++++++++------
 3 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/apps/files_versions/ajax/getVersions.php b/apps/files_versions/ajax/getVersions.php
index 4f48f71..df29f40 100644
--- a/apps/files_versions/ajax/getVersions.php
+++ b/apps/files_versions/ajax/getVersions.php
@@ -5,7 +5,7 @@ $source = $_GET['source'];
 $start = $_GET['start'];
 list ($uid, $filename) = OCA\Files_Versions\Storage::getUidAndFilename($source);
 $count = 5; //show the newest revisions
-if( ($versions = OCA\Files_Versions\Storage::getVersions($uid, $filename)) ) {
+if( ($versions = OCA\Files_Versions\Storage::getVersions($uid, $filename, $source)) ) {
 
 	$endReached = false;
 	if (count($versions) <= $start+$count) {
diff --git a/apps/files_versions/ajax/preview.php b/apps/files_versions/ajax/preview.php
index 3152502..bd9b736 100644
--- a/apps/files_versions/ajax/preview.php
+++ b/apps/files_versions/ajax/preview.php
@@ -12,18 +12,11 @@ if(!\OC_App::isEnabled('files_versions')){
 }
 
 $file = array_key_exists('file', $_GET) ? (string) urldecode($_GET['file']) : '';
-$user = array_key_exists('user', $_GET) ? $_GET['user'] : '';
 $maxX = array_key_exists('x', $_GET) ? (int) $_GET['x'] : 44;
 $maxY = array_key_exists('y', $_GET) ? (int) $_GET['y'] : 44;
 $version = array_key_exists('version', $_GET) ? $_GET['version'] : '';
 $scalingUp = array_key_exists('scalingup', $_GET) ? (bool) $_GET['scalingup'] : true;
 
-if($user === '') {
-	\OC_Response::setStatus(400); //400 Bad Request
-	\OC_Log::write('versions-preview', 'No user parameter was passed', \OC_Log::DEBUG);
-	exit;
-}
-
 if($file === '' && $version === '') {
 	\OC_Response::setStatus(400); //400 Bad Request
 	\OC_Log::write('versions-preview', 'No file parameter was passed', \OC_Log::DEBUG);
@@ -36,7 +29,8 @@ if($maxX === 0 || $maxY === 0) {
 	exit;
 }
 
-try{
+try {
+	list($user, $file) = \OCA\Files_Versions\Storage::getUidAndFilename($file);
 	$preview = new \OC\Preview($user, 'files_versions', $file.'.v'.$version);
 	$mimetype = \OC_Helper::getFileNameMimeType($file);
 	$preview->setMimetype($mimetype);
diff --git a/apps/files_versions/lib/versions.php b/apps/files_versions/lib/versions.php
index f268fa1..01c2e1c 100644
--- a/apps/files_versions/lib/versions.php
+++ b/apps/files_versions/lib/versions.php
@@ -261,11 +261,12 @@ class Storage {
 
 	/**
 	 * @brief get a list of all available versions of a file in descending chronological order
-	 * @param $uid user id from the owner of the file
-	 * @param $filename file to find versions of, relative to the user files dir
+	 * @param string $uid user id from the owner of the file
+	 * @param string $filename file to find versions of, relative to the user files dir
+	 * @param string $userFullPath
 	 * @returns array
 	 */
-	public static function getVersions($uid, $filename) {
+	public static function getVersions($uid, $filename, $userFullPath = '') {
 		$versions = array();
 		// fetch for old versions
 		$view = new \OC\Files\View('/' . $uid . '/' . self::VERSIONS_ROOT);
@@ -286,7 +287,11 @@ class Storage {
 					$versions[$key]['cur'] = 0;
 					$versions[$key]['version'] = $version;
 					$versions[$key]['humanReadableTimestamp'] = self::getHumanReadableTimestamp($version);
-					$versions[$key]['preview'] = \OCP\Util::linkToRoute('core_ajax_versions_preview', array('file' => $filename, 'version' => $version, 'user' => $uid));
+					if (empty($userFullPath)) {
+						$versions[$key]['preview'] = '';
+					} else {
+						$versions[$key]['preview'] = \OCP\Util::linkToRoute('core_ajax_versions_preview', array('file' => $userFullPath, 'version' => $version));
+					}
 					$versions[$key]['path'] = $filename;
 					$versions[$key]['name'] = $versionedFile;
 					$versions[$key]['size'] = $file['size'];
@@ -508,8 +513,8 @@ class Storage {
 	 * @brief delete old version from a given list of versions
 	 *
 	 * @param array $versionsByFile list of versions ordered by files
-	 * @param array $allVversions all versions accross multiple files
-	 * @param $versionsFileview OC\Files\View on data/user/files_versions
+	 * @param array $allVversions all versions across multiple files
+	 * @param $versionsFileview \OC\Files\View on data/user/files_versions
 	 * @return size of releted versions
 	 */
 	private static function delOldVersions($versionsByFile, &$allVersions, $versionsFileview) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git