[Pkg-owncloud-commits] [owncloud] 01/03: Contacts: Backport filename sanitation and blacklist checking to stable4.
David Prévot
taffit at alioth.debian.org
Fri Nov 8 23:09:38 UTC 2013
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to annotated tag v4.0.13
in repository owncloud.
commit fae5bd363b4cc3bd00d1a983ca5aff4a0eb86408
Author: Thomas Tanghus <thomas at tanghus.net>
Date: Sat Mar 9 19:26:31 2013 +0100
Contacts: Backport filename sanitation and blacklist checking to stable4.
---
apps/contacts/ajax/uploadimport.php | 8 ++++++++
apps/contacts/import.php | 15 ++++++++++-----
2 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php
index 4c3f5ea..56a966b 100644
--- a/apps/contacts/ajax/uploadimport.php
+++ b/apps/contacts/ajax/uploadimport.php
@@ -35,7 +35,11 @@ $tmpfile = md5(rand());
// If it is a Drag'n'Drop transfer it's handled here.
$fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false);
+$fn = strtr($fn, array('/' => '', "\\" => ''));
if($fn) {
+ if(OC_Filesystem::isFileBlacklisted($fn)) {
+ bailOut($l10n->t('Upload of blacklisted file:') . $fn);
+ }
if($view->file_put_contents('/'.$tmpfile, file_get_contents('php://input'))) {
OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
exit();
@@ -66,6 +70,10 @@ $file=$_FILES['importfile'];
$tmpfname = tempnam(get_temp_dir(), "occOrig");
if(file_exists($file['tmp_name'])) {
+ $filename = strtr($file['name'], array('/' => '', "\\" => ''));
+ if(OC_Filesystem::isFileBlacklisted($filename)) {
+ bailOut($l10n->t('Upload of blacklisted file:') . $filename);
+ }
if($view->file_put_contents('/'.$tmpfile, file_get_contents($file['tmp_name']))) {
OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile)));
} else {
diff --git a/apps/contacts/import.php b/apps/contacts/import.php
index 85d4ceb..ffdc438 100644
--- a/apps/contacts/import.php
+++ b/apps/contacts/import.php
@@ -25,11 +25,16 @@ function writeProgress($pct) {
}
writeProgress('10');
$view = $file = null;
+$inputfile = strtr($_POST['file'], array('/' => '', "\\" => ''));
+if(OC_Filesystem::isFileBlacklisted($inputfile)) {
+ OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $inputfile)));
+ exit();
+}
if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
$view = OCP\Files::getStorage('contacts');
- $file = $view->file_get_contents('/' . $_POST['file']);
+ $file = $view->file_get_contents('/' . $inputfile);
} else {
- $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $_POST['file']);
+ $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $inputfile);
}
if(!$file) {
OCP\JSON::error(array('message' => 'Import file was empty.'));
@@ -115,7 +120,7 @@ if(count($parts) == 1){
$imported = 0;
$failed = 0;
if(!count($importready) > 0) {
- OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$_POST['file'].' Please check if the file is corrupted.'))));
+ OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$inputfile.' Please check if the file is corrupted.'))));
exit();
}
foreach($importready as $import){
@@ -135,8 +140,8 @@ if(is_writable('import_tmp/')){
unlink($progressfile);
}
if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
- if(!$view->unlink('/' . $_POST['file'])) {
- OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $_POST['file'], OCP\Util::ERROR);
+ if(!$view->unlink('/' . $inputfile)) {
+ OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $inputfile, OCP\Util::ERROR);
}
}
OCP\JSON::success(array('data' => array('imported'=>$imported, 'failed'=>$failed)));
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git
More information about the Pkg-owncloud-commits
mailing list