[Pkg-owncloud-commits] [owncloud] 36/172: Harden issubdirectory()

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository owncloud.

commit a40e49cae5983d8158562e142919cd3108bd2fd8
Author: Lukas Reschke <lukas at statuscode.ch>
Date:   Sun May 11 15:49:19 2014 +0200

    Harden issubdirectory()
    
    realpath() may return false in case the directory does not exist since we can not be sure how different PHP versions may behave here we do an additional check whether realpath returned false
---
 lib/private/helper.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/private/helper.php b/lib/private/helper.php
index 64da1f6..1883ae2 100644
--- a/lib/private/helper.php
+++ b/lib/private/helper.php
@@ -733,9 +733,21 @@ class OC_Helper {
 	 * @return bool
 	 */
 	public static function issubdirectory($sub, $parent) {
-		if (strpos(realpath($sub), realpath($parent)) === 0) {
+		$realpathSub = realpath($sub);
+		$realpathParent = realpath($parent);
+
+		// realpath() may return false in case the directory does not exist
+		// since we can not be sure how different PHP versions may behave here
+		// we do an additional check whether realpath returned false
+		if($realpathSub === false ||  $realpathParent === false) {
+			return false;
+		}
+
+		// Check whether $sub is a subdirectory of $parent
+		if (strpos($realpathSub, $realpathParent) === 0) {
 			return true;
 		}
+
 		return false;
 	}
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git