Unverified Commit 2d781e56 authored by Thomas Müller's avatar Thomas Müller
Browse files

Sanitize length headers when validating quota

parent 6b8e8edc
......@@ -24,6 +24,11 @@
*
*/
namespace OCA\DAV\Connector\Sabre;
use OCP\Files\FileInfo;
use OCP\Files\StorageNotAvailableException;
use Sabre\DAV\Exception\InsufficientStorage;
use Sabre\DAV\Exception\ServiceUnavailable;
use Sabre\HTTP\URLUtil;
/**
* This plugin check user quota and deny creating files when they exceeds the quota.
......@@ -76,17 +81,16 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
* This method is called before any HTTP method and validates there is enough free space to store the file
*
* @param string $uri
* @param null $data
* @throws \Sabre\DAV\Exception\InsufficientStorage
* @throws InsufficientStorage
* @return bool
*/
public function checkQuota($uri, $data = null) {
public function checkQuota($uri) {
$length = $this->getLength();
if ($length) {
if (substr($uri, 0, 1) !== '/') {
$uri = '/' . $uri;
}
list($parentUri, $newName) = \Sabre\HTTP\URLUtil::splitPath($uri);
list($parentUri, $newName) = URLUtil::splitPath($uri);
if(is_null($parentUri)) {
$parentUri = '';
}
......@@ -101,11 +105,11 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
$uri = rtrim($parentUri, '/') . '/' . $info['name'];
}
$freeSpace = $this->getFreeSpace($uri);
if ($freeSpace !== \OCP\Files\FileInfo::SPACE_UNKNOWN && $length > $freeSpace) {
if ($freeSpace !== FileInfo::SPACE_UNKNOWN && $length > $freeSpace) {
if (isset($chunkHandler)) {
$chunkHandler->cleanup();
}
throw new \Sabre\DAV\Exception\InsufficientStorage();
throw new InsufficientStorage();
}
}
return true;
......@@ -119,12 +123,13 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
public function getLength() {
$req = $this->server->httpRequest;
$length = $req->getHeader('X-Expected-Entity-Length');
if (!$length) {
if (!is_numeric($length)) {
$length = $req->getHeader('Content-Length');
$length = is_numeric($length) ? $length : null;
}
$ocLength = $req->getHeader('OC-Total-Length');
if ($length && $ocLength) {
if (is_numeric($length) && is_numeric($ocLength)) {
return max($length, $ocLength);
}
......@@ -134,13 +139,14 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
/**
* @param string $uri
* @return mixed
* @throws ServiceUnavailable
*/
public function getFreeSpace($uri) {
try {
$freeSpace = $this->view->free_space(ltrim($uri, '/'));
return $freeSpace;
} catch (\OCP\Files\StorageNotAvailableException $e) {
throw new \Sabre\DAV\Exception\ServiceUnavailable($e->getMessage());
} catch (StorageNotAvailableException $e) {
throw new ServiceUnavailable($e->getMessage());
}
}
}
......@@ -22,22 +22,20 @@
*
*/
namespace OCA\DAV\Tests\unit\Connector\Sabre;
use Test\TestCase;
/**
* Copyright (c) 2013 Thomas Müller <thomas.mueller@tmit.eu>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file.
*/
class QuotaPluginTest extends \Test\TestCase {
class QuotaPluginTest extends TestCase {
/**
* @var \Sabre\DAV\Server
*/
/** @var \Sabre\DAV\Server | \PHPUnit_Framework_MockObject_MockObject */
private $server;
/**
* @var \OCA\DAV\Connector\Sabre\QuotaPlugin
*/
/** @var \OCA\DAV\Connector\Sabre\QuotaPlugin | \PHPUnit_Framework_MockObject_MockObject */
private $plugin;
private function init($quota, $checkedPath = '') {
......@@ -130,6 +128,12 @@ class QuotaPluginTest extends \Test\TestCase {
[512, ['CONTENT-LENGTH' => '512']],
[2048, ['OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => '1024']],
[4096, ['OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => '4096']],
[null, ['X-EXPECTED-ENTITY-LENGTH' => 'A']],
[null, ['CONTENT-LENGTH' => 'A']],
[1024, ['OC-TOTAL-LENGTH' => 'A', 'CONTENT-LENGTH' => '1024']],
[1024, ['OC-TOTAL-LENGTH' => 'A', 'X-EXPECTED-ENTITY-LENGTH' => '1024']],
[null, ['OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => 'A']],
[null, ['OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => 'A']],
];
}
......@@ -211,8 +215,11 @@ class QuotaPluginTest extends \Test\TestCase {
}
private function buildFileViewMock($quota, $checkedPath) {
// mock filesysten
$view = $this->createMock('\OC\Files\View', ['free_space'], [], '', false);
// mock file systen
$view = $this->getMockBuilder('\OC\Files\View')
->setMethods(['free_space'])
->setConstructorArgs([])
->getMock();
$view->expects($this->any())
->method('free_space')
->with($this->identicalTo($checkedPath))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment