[Pkg-owncloud-commits] [owncloud] 12/85: Harden issubdirectory()

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch 6.0
in repository owncloud.

commit 1e6b4576c2a99290f78b48a45c317a8b262d649f
Author: Lukas Reschke <lukas at statuscode.ch>
Date:   Sun May 11 15:49:19 2014 +0200

    Harden issubdirectory()
    
    realpath() may return false in case the directory does not exist since we can not be sure how different PHP versions may behave here we do an additional check whether realpath returned false
---
 lib/private/helper.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/private/helper.php b/lib/private/helper.php
index 1cc6413..f56a2cf 100644
--- a/lib/private/helper.php
+++ b/lib/private/helper.php
@@ -716,9 +716,21 @@ class OC_Helper {
 	 * @return bool
 	 */
 	public static function issubdirectory($sub, $parent) {
-		if (strpos(realpath($sub), realpath($parent)) === 0) {
+		$realpathSub = realpath($sub);
+		$realpathParent = realpath($parent);
+
+		// realpath() may return false in case the directory does not exist
+		// since we can not be sure how different PHP versions may behave here
+		// we do an additional check whether realpath returned false
+		if($realpathSub === false ||  $realpathParent === false) {
+			return false;
+		}
+
+		// Check whether $sub is a subdirectory of $parent
+		if (strpos($realpathSub, $realpathParent) === 0) {
 			return true;
 		}
+
 		return false;
 	}
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git