fix: Do not leak data directory in exception (security)

Signed-off-by: Ferdinand Thiessen <[email protected]>
nextcloud · Jul 9, 2024 · ee7ad79 · ee7ad79
1 parent 7559560
commit ee7ad79
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php
@@ -321,7 +321,9 @@ private function checkTreeForForbiddenItems(string $path) {
 		/** @var \SplFileInfo $file */
 		foreach ($iterator as $file) {
 			if (!$this->getFilenameValidator()->isFilenameValid($file->getBasename())) {
-				throw new ForbiddenException('Invalid path: ' . $file->getPathname(), false);
+				// Do not leak data dir
+				$filePath = substr($file->getPathname(), strlen($this->datadir));
+				throw new ForbiddenException('Invalid path: ' . $filePath, false);
 			}
 		}
 	}