[Pkg-owncloud-commits] [owncloud] 145/215: Filter potential dangerous filenames for avatars

Tue May 5 01:01:40 UTC 2015

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch stable8
in repository owncloud.

commit 34d0e610ccb2f188954b33d87b4ad806a2de66fc
Author: Lukas Reschke <lukas at owncloud.com>
Date:   Tue Apr 28 16:57:23 2015 +0200

    Filter potential dangerous filenames for avatars
    
    We don't want to have users misusing this API resulting in a potential file disclosure of "avatar.(jpg|png)" files.
---
 lib/private/avatar.php        | 14 ++++++++++----
 lib/private/avatarmanager.php |  1 +
 tests/lib/avatar.php          | 23 +++++++++++++++++++++++
 3 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/lib/private/avatar.php b/lib/private/avatar.php
index e3c9eb2..61a1798 100644
--- a/lib/private/avatar.php
+++ b/lib/private/avatar.php
@@ -8,6 +8,7 @@
  * @author Robin McCorkell <rmccorkell at karoshi.org.uk>
  * @author Roeland Jago Douma <roeland at famdouma.nl>
  * @author Thomas Müller <thomas.mueller at tmit.eu>
+ * @author Lukas Reschke <lukas at owncloud.com>
  *
  * @copyright Copyright (c) 2015, ownCloud, Inc.
  * @license AGPL-3.0
@@ -26,23 +27,28 @@
  *
  */
 
- namespace OC;
+namespace OC;
 
- use OC_Image;
+use OC\Files\Filesystem;
+use OC_Image;
 
 /**
  * This class gets and sets users avatars.
  */
 
 class Avatar implements \OCP\IAvatar {
-
+	/** @var Files\View  */
 	private $view;
 
 	/**
 	 * constructor
 	 * @param string $user user to do avatar-management with
-	*/
+	 * @throws \Exception In case the username is potentially dangerous
+	 */
 	public function __construct ($user) {
+		if(!Filesystem::isValidPath($user)) {
+			throw new \Exception('Username may not contain slashes');
+		}
 		$this->view = new \OC\Files\View('/'.$user);
 	}
 
diff --git a/lib/private/avatarmanager.php b/lib/private/avatarmanager.php
index 0ff4a34..42f711e 100644
--- a/lib/private/avatarmanager.php
+++ b/lib/private/avatarmanager.php
@@ -37,6 +37,7 @@ class AvatarManager implements IAvatarManager {
 	 * @see \OCP\IAvatar
 	 * @param string $user the ownCloud user id
 	 * @return \OCP\IAvatar
+	 * @throws \Exception In case the username is potentially dangerous
 	 */
 	public function getAvatar($user) {
 		return new Avatar($user);
diff --git a/tests/lib/avatar.php b/tests/lib/avatar.php
index 9e1f367..badee9f 100644
--- a/tests/lib/avatar.php
+++ b/tests/lib/avatar.php
@@ -34,6 +34,29 @@ class Test_Avatar extends \Test\TestCase {
 		}
 	}
 
+	/**
+	 * @return array
+	 */
+	public function traversalProvider() {
+		return [
+			['Pot\..\entiallyDangerousUsername'],
+			['Pot/..\entiallyDangerousUsername'],
+			['PotentiallyDangerousUsername/..'],
+			['PotentiallyDangerousUsername\../'],
+			['/../PotentiallyDangerousUsername'],
+		];
+	}
+
+	/**
+	 * @dataProvider traversalProvider
+	 * @expectedException \Exception
+	 * @expectedExceptionMessage Username may not contain slashes
+	 * @param string $dangerousUsername
+	 */
+	public function testAvatarTraversal($dangerousUsername) {
+		new Avatar($dangerousUsername);
+	}
+
 	public function testAvatar() {
 
 		$avatar = new Avatar($this->user);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

