[Pkg-owncloud-commits] [owncloud] 25/34: Normalize before processing

Wed Mar 11 15:49:37 UTC 2015

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to annotated tag v8.0.0
in repository owncloud.

commit 4d91fa4c93aa88480a52eed40fe65d7fdd4912d4
Author: Lukas Reschke <lukas at owncloud.com>
Date:   Fri Feb 6 15:03:29 2015 +0100

    Normalize before processing
---
 lib/private/files/filesystem.php | 10 ++++++----
 lib/private/files/mapper.php     | 18 ++++++++++++++----
 tests/lib/files/filesystem.php   | 22 ++++++++++++++++++++++
 tests/lib/files/mapper.php       |  9 +++++++++
 4 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/lib/private/files/filesystem.php b/lib/private/files/filesystem.php
index 140d892..e933782 100644
--- a/lib/private/files/filesystem.php
+++ b/lib/private/files/filesystem.php
@@ -543,9 +543,11 @@ class Filesystem {
 	 * @return bool
 	 */
 	static public function isFileBlacklisted($filename) {
+		$filename = self::normalizePath($filename);
+
 		$blacklist = \OC_Config::getValue('blacklisted_files', array('.htaccess'));
 		$filename = strtolower(basename($filename));
-		return (in_array($filename, $blacklist));
+		return in_array($filename, $blacklist);
 	}
 
 	/**
@@ -734,6 +736,9 @@ class Filesystem {
 			return '/';
 		}
 
+		//normalize unicode if possible
+		$path = \OC_Util::normalizeUnicode($path);
+
 		//no windows style slashes
 		$path = str_replace('\\', '/', $path);
 
@@ -770,9 +775,6 @@ class Filesystem {
 			$path = substr($path, 0, -2);
 		}
 
-		//normalize unicode if possible
-		$path = \OC_Util::normalizeUnicode($path);
-
 		$normalizedPath = $windows_drive_letter . $path;
 		self::$normalizedPathCache[$cacheKey] = $normalizedPath;
 
diff --git a/lib/private/files/mapper.php b/lib/private/files/mapper.php
index 5e78ef0..86c23c6 100644
--- a/lib/private/files/mapper.php
+++ b/lib/private/files/mapper.php
@@ -115,6 +115,8 @@ class Mapper
 
 	/**
 	 * @param string $logicPath
+	 * @return null
+	 * @throws \OC\DatabaseException
 	 */
 	private function resolveLogicPath($logicPath) {
 		$logicPath = $this->resolveRelativePath($logicPath);
@@ -162,7 +164,8 @@ class Mapper
 
 	/**
 	 * @param string $logicPath
-	 * @param boolean $store
+	 * @param bool $store
+	 * @return string
 	 */
 	private function create($logicPath, $store) {
 		$logicPath = $this->resolveRelativePath($logicPath);
@@ -191,7 +194,9 @@ class Mapper
 	}
 
 	/**
-	 * @param integer $index
+	 * @param string $path
+	 * @param int $index
+	 * @return string
 	 */
 	public function slugifyPath($path, $index = null) {
 		$path = $this->stripRootFolder($path, $this->unchangedPhysicalRoot);
@@ -205,7 +210,7 @@ class Mapper
 				continue;
 			}
 
-			$sluggedElements[] = self::slugify($pathElement);
+			$sluggedElements[] = $this->slugify($pathElement);
 		}
 
 		// apply index to file name
@@ -253,13 +258,18 @@ class Mapper
 		// trim ending dots (for security reasons and win compatibility)
 		$text = preg_replace('~\.+$~', '', $text);
 
-		if (empty($text)) {
+		if (empty($text) || \OC\Files\Filesystem::isFileBlacklisted($text)) {
 			/**
 			 * Item slug would be empty. Previously we used uniqid() here.
 			 * However this means that the behaviour is not reproducible, so
 			 * when uploading files into a "empty" folder, the folders name is
 			 * different.
 			 *
+			 * The other case is, that the slugified name would be a blacklisted
+			 * filename. In this case we just use the same workaround by
+			 * returning the secure md5 hash of the original name.
+			 *
+			 *
 			 * If there would be a md5() hash collision, the deduplicate check
 			 * will spot this and append an index later, so this should not be
 			 * a problem.
diff --git a/tests/lib/files/filesystem.php b/tests/lib/files/filesystem.php
index 888690a..7bf5931 100644
--- a/tests/lib/files/filesystem.php
+++ b/tests/lib/files/filesystem.php
@@ -187,6 +187,28 @@ class Filesystem extends \Test\TestCase {
 		$this->assertSame($expected, \OC\Files\Filesystem::isValidPath($path));
 	}
 
+	public function isFileBlacklistedData() {
+		return array(
+			array('/etc/foo/bar/foo.txt', false),
+			array('\etc\foo/bar\foo.txt', false),
+			array('.htaccess', true),
+			array('.htaccess/', true),
+			array('.htaccess\\', true),
+			array('/etc/foo\bar/.htaccess\\', true),
+			array('/etc/foo\bar/.htaccess/', true),
+			array('/etc/foo\bar/.htaccess/foo', false),
+			array('//foo//bar/\.htaccess/', true),
+			array('\foo\bar\.HTAccess', true),
+		);
+	}
+
+	/**
+	 * @dataProvider isFileBlacklistedData
+	 */
+	public function testIsFileBlacklisted($path, $expected) {
+		$this->assertSame($expected, \OC\Files\Filesystem::isFileBlacklisted($path));
+	}
+
 	public function normalizePathWindowsAbsolutePathData() {
 		return array(
 			array('C:/', 'C:\\'),
diff --git a/tests/lib/files/mapper.php b/tests/lib/files/mapper.php
index 1816173..cd35d4f 100644
--- a/tests/lib/files/mapper.php
+++ b/tests/lib/files/mapper.php
@@ -68,6 +68,15 @@ class Mapper extends \Test\TestCase {
 			 */
 			array('D:/' . md5('ありがとう'), 'D:/ありがとう'),
 			array('D:/' . md5('ありがとう') . '/issue6722.txt', 'D:/ありがとう/issue6722.txt'),
+			array('D:/' . md5('.htaccess'), 'D:/.htaccess'),
+			array('D:/' . md5('.htaccess.'), 'D:/.htaccess.'),
+			array('D:/' . md5('.htAccess'), 'D:/.htAccess'),
+			array('D:/' . md5('.htAccess\\…\\') . '/a', 'D:/.htAccess\…\/とa'),
+			array('D:/' . md5('.htaccess-'), 'D:/.htaccess-'),
+			array('D:/' . md5('.htaあccess'), 'D:/.htaあccess'),
+			array('D:/' . md5(' .htaccess'), 'D:/ .htaccess'),
+			array('D:/' . md5('.htaccess '), 'D:/.htaccess '),
+			array('D:/' . md5(' .htaccess '), 'D:/ .htaccess '),
 		);
 	}
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

