[Pkg-owncloud-commits] [owncloud] 188/457: Validate target file name for some webdav ops

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch stable8
in repository owncloud.

commit 06f8c80af6c7543750007315582dee7099f4b215
Author: Vincent Petry <pvince81 at owncloud.com>
Date:   Fri May 29 19:14:38 2015 +0200

    Validate target file name for some webdav ops
---
 lib/private/connector/sabre/directory.php  | 7 +++++++
 lib/private/connector/sabre/objecttree.php | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/lib/private/connector/sabre/directory.php b/lib/private/connector/sabre/directory.php
index 67fdbb2..ef35b30 100644
--- a/lib/private/connector/sabre/directory.php
+++ b/lib/private/connector/sabre/directory.php
@@ -27,6 +27,8 @@
  */
 namespace OC\Connector\Sabre;
 
+use OC\Connector\Sabre\Exception\InvalidPath;
+
 class Directory extends \OC\Connector\Sabre\Node
 	implements \Sabre\DAV\ICollection, \Sabre\DAV\IQuota {
 
@@ -91,6 +93,8 @@ class Directory extends \OC\Connector\Sabre\Node
 				}
 			}
 
+			$this->fileView->verifyPath($this->path, $name);
+
 			$path = $this->fileView->getAbsolutePath($this->path) . '/' . $name;
 			// using a dummy FileInfo is acceptable here since it will be refreshed after the put is complete
 			$info = new \OC\Files\FileInfo($path, null, null, array(), null);
@@ -114,12 +118,15 @@ class Directory extends \OC\Connector\Sabre\Node
 				throw new \Sabre\DAV\Exception\Forbidden();
 			}
 
+			$this->fileView->verifyPath($this->path, $name);
 			$newPath = $this->path . '/' . $name;
 			if (!$this->fileView->mkdir($newPath)) {
 				throw new \Sabre\DAV\Exception\Forbidden('Could not create directory ' . $newPath);
 			}
 		} catch (\OCP\Files\StorageNotAvailableException $e) {
 			throw new \Sabre\DAV\Exception\ServiceUnavailable($e->getMessage());
+		} catch (\OCP\Files\InvalidPathException $ex) {
+			throw new InvalidPath($ex->getMessage());
 		}
 	}
 
diff --git a/lib/private/connector/sabre/objecttree.php b/lib/private/connector/sabre/objecttree.php
index 8def14e..17d9aff 100644
--- a/lib/private/connector/sabre/objecttree.php
+++ b/lib/private/connector/sabre/objecttree.php
@@ -249,6 +249,13 @@ class ObjectTree extends \Sabre\DAV\Tree {
 		// this will trigger existence check
 		$this->getNodeForPath($source);
 
+		list($destinationDir, $destinationName) = \Sabre\HTTP\URLUtil::splitPath($destination);
+		try {
+			$this->fileView->verifyPath($destinationDir, $destinationName);
+		} catch (\OCP\Files\InvalidPathException $ex) {
+			throw new InvalidPath($ex->getMessage());
+		}
+
 		try {
 			$this->fileView->copy($source, $destination);
 		} catch (\OCP\Files\StorageNotAvailableException $e) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git