[Pkg-owncloud-commits] [owncloud] 02/11: Remove invalid characters from app id to prevent loading of invalid resources

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to annotated tag v4.0.12
in repository owncloud.

commit 74e73bc8021b71cc3b89ea6ca204e1cab42257c3
Author: Bart Visscher <bartv at thisnet.nl>
Date:   Sat Feb 9 15:03:47 2013 +0100

    Remove invalid characters from app id to prevent loading of invalid resources
---
 core/ajax/translations.php   |    1 +
 lib/app.php                  |    9 +++++++++
 lib/base.php                 |    2 +-
 lib/l10n.php                 |    1 +
 settings/ajax/disableapp.php |    2 +-
 settings/ajax/enableapp.php  |    2 +-
 6 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/core/ajax/translations.php b/core/ajax/translations.php
index a6433b1..73d918f 100644
--- a/core/ajax/translations.php
+++ b/core/ajax/translations.php
@@ -25,6 +25,7 @@
 require_once('../../lib/base.php');
 
 $app = $_POST["app"];
+$app = OC_App::cleanAppId($app);
 
 $l = OC_L10N::get( $app );
 
diff --git a/lib/app.php b/lib/app.php
index 449ae3f..079b634 100644
--- a/lib/app.php
+++ b/lib/app.php
@@ -38,6 +38,15 @@ class OC_App{
 	static private $loadedApps = array();
 
 	/**
+	 * @brief clean the appid
+	 * @param $app Appid that needs to be cleaned
+	 * @return string
+	 */
+	public static function cleanAppId($app) {
+		return str_replace(array('\0', '/', '\\', '..'), '', $app);
+	}
+
+	/**
 	 * @brief loads all apps
 	 * @param array $types
 	 * @returns true/false
diff --git a/lib/base.php b/lib/base.php
index 9db3219..0fc998a 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -444,7 +444,7 @@ class OC{
 		register_shutdown_function(array('OC_Helper','cleanTmp'));
 
 		//parse the given parameters
-		self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?str_replace(array('\0', '/', '\\', '..'), '', strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files'));
+		self::$REQUESTEDAPP = (isset($_GET['app']) && trim($_GET['app']) != '' && !is_null($_GET['app'])?OC_App::cleanAppId(strip_tags($_GET['app'])):OC_Config::getValue('defaultapp', 'files'));
 		if(substr_count(self::$REQUESTEDAPP, '?') != 0){
 			$app = substr(self::$REQUESTEDAPP, 0, strpos(self::$REQUESTEDAPP, '?'));
 			$param = substr(self::$REQUESTEDAPP, strpos(self::$REQUESTEDAPP, '?') + 1);
diff --git a/lib/l10n.php b/lib/l10n.php
index d47637d..d382692 100644
--- a/lib/l10n.php
+++ b/lib/l10n.php
@@ -77,6 +77,7 @@ class OC_L10N{
 	 * language.
 	 */
 	public function __construct($app, $lang = null){
+		$app = OC_App::cleanAppId($app);
 		// Find the right language
 		if(is_null($lang)){
 			$lang = self::findLanguage($app);
diff --git a/settings/ajax/disableapp.php b/settings/ajax/disableapp.php
index cc00698..7b2b5e3 100644
--- a/settings/ajax/disableapp.php
+++ b/settings/ajax/disableapp.php
@@ -5,6 +5,6 @@ OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();
 
-OC_App::disable($_POST['appid']);
+OC_App::disable(OC_App::cleanAppId($_POST['appid']));
 
 OC_JSON::success();
diff --git a/settings/ajax/enableapp.php b/settings/ajax/enableapp.php
index bd53a50..57b4e19 100644
--- a/settings/ajax/enableapp.php
+++ b/settings/ajax/enableapp.php
@@ -6,7 +6,7 @@ OC_JSON::checkAdminUser();
 OCP\JSON::callCheck();
 OC_JSON::setContentTypeHeader();
 
-if(OC_App::enable($_POST['appid'])){
+if(OC_App::enable(OC_App::cleanAppId($_POST['appid']))){
 	OC_JSON::success();
 }else{
 	OC_JSON::error();

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git