Skip to content

Commit

Permalink
fix: Also validate parent path in verifyPath
Browse files Browse the repository at this point in the history 
Signed-off-by: Ferdinand Thiessen <[email protected]>
  • Loading branch information
@susnux @backportbot
susnux authored and backportbot[bot] committed Aug 28, 2024
1 parent be2cf06 commit 0b0bc90
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 3 deletions.
6 changes: 4 additions & 2 deletions lib/private/Files/FilenameValidator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@
*/
class FilenameValidator implements IFilenameValidator {

public const INVALID_FILE_TYPE = 100;

private IL10N $l10n;

/**
Expand Down Expand Up @@ -269,12 +271,12 @@ protected function checkForbiddenCharacters(string $filename): void {
*/
protected function checkForbiddenExtension(string $filename): void {
$filename = mb_strtolower($filename);
// Check for forbidden filename exten<sions
// Check for forbidden filename extensions
$forbiddenExtensions = $this->getForbiddenExtensions();
foreach ($forbiddenExtensions as $extension) {
if (str_ends_with($filename, $extension)) {
if (str_starts_with($extension, '.')) {
throw new InvalidPathException($this->l10n->t('"%1$s" is a forbidden file type.', [$extension]));
throw new InvalidPathException($this->l10n->t('"%1$s" is a forbidden file type.', [$extension]), self::INVALID_FILE_TYPE);
} else {
throw new InvalidPathException($this->l10n->t('Filenames must not end with "%1$s".', [$extension]));
}
Expand Down
14 changes: 13 additions & 1 deletion lib/private/Files/Storage/Common.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
use OC\Files\Cache\Scanner;
use OC\Files\Cache\Updater;
use OC\Files\Cache\Watcher;
use OC\Files\FilenameValidator;
use OC\Files\Filesystem;
use OC\Files\Storage\Wrapper\Jail;
use OC\Files\Storage\Wrapper\Wrapper;
Expand Down Expand Up @@ -494,7 +495,18 @@ public function verifyPath($path, $fileName) {
$this->getFilenameValidator()
->validateFilename($fileName);

// NOTE: $path will remain unverified for now
// verify also the path is valid
if ($path && $path !== '/' && $path !== '.') {
try {
$this->verifyPath(dirname($path), basename($path));
} catch (InvalidPathException $e) {
// Ignore invalid file type exceptions on directories
if ($e->getCode() !== FilenameValidator::INVALID_FILE_TYPE) {
$l = \OCP\Util::getL10N('lib');
throw new InvalidPathException($l->t('Invalid parent path'), previous: $e);
}
}
}
}

/**
Expand Down

0 comments on commit 0b0bc90

Please sign in to comment.