Merge pull request #18839 from owncloud/autoloader-supersecure

Restrict autoloaded paths to loaded apps (and other enhancements)

lib/autoloader.php

@@ -27,6 +27,8 @@
 
 namespace OC;
 
+use \OCP\AutoloadNotAllowedException;
+
 class Autoloader {
 	private $useGlobalClassPath = true;
 
@@ -58,7 +60,7 @@ public function __construct(array $validRoots) {
 	 * @param string $root
 	 */
 	public function addValidRoot($root) {
-		$this->validRoots[] = $root;
+		$this->validRoots[] = stream_resolve_include_path($root);
 	}
 
 	/**
@@ -129,7 +131,7 @@ protected function isValidPath($fullPath) {
 				return true;
 			}
 		}
-		throw new \Exception('Path not allowed: '. $fullPath);
+		throw new AutoloadNotAllowedException($fullPath);
 	}
 
 	/**

lib/base.php

@@ -552,10 +552,6 @@ public static function init() {
 			exit();
 		}
 
-		foreach(OC::$APPSROOTS as $appRoot) {
-			self::$loader->addValidRoot($appRoot['path']);
-		}
-
 		// setup the basic server
 		self::$server = new \OC\Server(\OC::$WEBROOT);
 		\OC::$server->getEventLogger()->log('autoloader', 'Autoloader', $loaderStart, $loaderEnd);

lib/private/app.php

@@ -105,7 +105,6 @@ public static function loadApps($types = null) {
 		ob_start();
 		foreach ($apps as $app) {
 			if ((is_null($types) or self::isType($app, $types)) && !in_array($app, self::$loadedApps)) {
-				self::$loadedApps[] = $app;
 				self::loadApp($app);
 			}
 		}
@@ -122,6 +121,8 @@ public static function loadApps($types = null) {
 	 * @throws \OC\NeedsUpdateException
 	 */
 	public static function loadApp($app, $checkUpgrade = true) {
+		self::$loadedApps[] = $app;
+		\OC::$loader->addValidRoot(self::getAppPath($app));
 		if (is_file(self::getAppPath($app) . '/appinfo/app.php')) {
 			\OC::$server->getEventLogger()->start('load_app_' . $app, 'Load app: ' . $app);
 			if ($checkUpgrade and self::shouldUpgrade($app)) {

lib/private/backgroundjob/joblist.php

@@ -26,6 +26,7 @@
 namespace OC\BackgroundJob;
 
 use OCP\BackgroundJob\IJobList;
+use OCP\AutoloadNotAllowedException;
 
 class JobList implements IJobList {
 	/**
@@ -185,15 +186,20 @@ private function buildJob($row) {
 		/**
 		 * @var Job $job
 		 */
-		if (!class_exists($class)) {
-			// job from disabled app or old version of an app, no need to do anything
-			return null;
+		try {
+			if (!class_exists($class)) {
+				// job from disabled app or old version of an app, no need to do anything
+				return null;
+			}
+			$job = new $class();
+			$job->setId($row['id']);
+			$job->setLastRun($row['last_run']);
+			$job->setArgument(json_decode($row['argument'], true));
+			return $job;
+		} catch (AutoloadNotAllowedException $e) {
+			// job is from a disabled app, ignore
 		}
-		$job = new $class();
-		$job->setId($row['id']);
-		$job->setLastRun($row['last_run']);
-		$job->setArgument(json_decode($row['argument'], true));
-		return $job;
+		return null;
 	}
 
 	/**

lib/public/autoloadnotallowedexception.php

@@ -0,0 +1,36 @@
+<?php
+/**
+ * @author Robin McCorkell <[email protected]>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+namespace OCP;
+
+/**
+ * Exception for when a not allowed path is attempted to be autoloaded
+ * @since 8.2.0
+ */
+class AutoloadNotAllowedException extends \DomainException {
+	/**
+	 * @param string $path
+	 * @since 8.2.0
+	 */
+	public function __construct($path) {
+		parent::__construct('Autoload path not allowed: '.$path);
+	}
+}
+