[Pkg-owncloud-commits] [php-sabredav] 40/75: Prevent enumeration of absolute path using Browser Plugin
David Prévot
taffit at moszumanska.debian.org
Thu Feb 26 18:51:52 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository php-sabredav.
commit abdc7b180ded1a601c75bb63a1a68891814c9b37
Author: Lukas Reschke <lukas at owncloud.com>
Date: Mon Feb 23 12:52:12 2015 +0100
Prevent enumeration of absolute path using Browser Plugin
Previously URIs like `?sabreAction=asset&assetName=../../../../../../../../../../../Users/lreschke/Programming/core/3rdparty/sabre/dav/lib/DAV/Browser/assets/sabredav.css` could have been used as `realpath` does resolve them properly.
As discussed in https://github.com/owncloud/core/commit/1edd6d7d0b15a3fd0ad7b20107ac0c603f63204c#commitcomment-9804349
---
lib/DAV/Browser/Plugin.php | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/DAV/Browser/Plugin.php b/lib/DAV/Browser/Plugin.php
index 34af64c..987b9c0 100644
--- a/lib/DAV/Browser/Plugin.php
+++ b/lib/DAV/Browser/Plugin.php
@@ -456,6 +456,7 @@ HTML;
*
* @param string $assetName
* @return string
+ * @throws DAV\Exception\NotFound
*/
protected function getLocalAssetPath($assetName) {
@@ -463,6 +464,10 @@ HTML;
$path = $assetDir . $assetName;
// Making sure people aren't trying to escape from the base path.
+ $path = str_replace('\\', '/', $path);
+ if (strpos($path, '/../') !== FALSE || strrchr($path, '/') === '/..') {
+ throw new DAV\Exception\NotFound('Path does not exist, or escaping from the base path was detected');
+ }
if (strpos(realpath($path), realpath($assetDir)) === 0 && file_exists($path)) {
return $path;
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/php-sabredav.git
More information about the Pkg-owncloud-commits
mailing list