[Pkg-owncloud-commits] [owncloud] 171/223: Add deprecation notice to load* functions

David Prévot taffit at moszumanska.debian.org
Sun Jun 22 01:54:21 UTC 2014 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository owncloud.

commit f2fc214ce0455ce9a9def36bd09285e82b5eabec
Author: Lukas Reschke <lukas at statuscode.ch>
Date:   Sat Jun 14 11:05:12 2014 +0200

    Add deprecation notice to load* functions
    
    This functions are deprecated and/or removed since ownCloud 7. Additionally a issubdirectory check has been added here to prevent developers to use this function in a potentially insecure way.
    
    Port of https://github.com/owncloud/core/pull/9033
---
 .htaccess    | 3 +++
 lib/base.php | 8 ++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.htaccess b/.htaccess
index ee4d5af..f34dd9d 100644
--- a/.htaccess
+++ b/.htaccess
@@ -38,3 +38,6 @@ Options -Indexes
 <IfModule pagespeed_module>
         ModPagespeed Off
 </IfModule>
+
+ErrorDocument 403 /core/core/templates/403.php
+ErrorDocument 404 /core/core/templates/404.php
\ No newline at end of file
diff --git a/lib/base.php b/lib/base.php
index 5871ecb..dcaf372 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -785,14 +785,18 @@ class OC {
 	 * Load a PHP file belonging to the specified application
 	 * @param array $param The application and file to load
 	 * @return bool Whether the file has been found (will return 404 and false if not)
+	 * @deprecated This function will be removed in ownCloud 8 - use proper routing instead
+	 * @param $param
+	 * @return bool Whether the file has been found (will return 404 and false if not)
 	 */
 	public static function loadAppScriptFile($param) {
 		OC_App::loadApps();
 		$app = $param['app'];
 		$file = $param['file'];
 		$app_path = OC_App::getAppPath($app);
-		if (OC_App::isEnabled($app) && $app_path !== false) {
-			$file = $app_path . '/' . $file;
+		$file = $app_path . '/' . $file;
+
+		if (OC_App::isEnabled($app) && $app_path !== false && OC_Helper::issubdirectory($file, $app_path)) {
 			unset($app, $app_path);
 			if (file_exists($file)) {
 				require_once $file;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

More information about the Pkg-owncloud-commits mailing list