diff --git a/lib/connector/sabre/directory.php b/lib/connector/sabre/directory.php
index 6ccb54b79abe564ba18d3694c8b87b04de4b1d1c..3d15a2a584d4acca517a9089e45f30902d2aeaac 100644
--- a/lib/connector/sabre/directory.php
+++ b/lib/connector/sabre/directory.php
@@ -45,9 +45,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
*
* @param string $name Name of the file
* @param resource|string $data Initial payload
+ * @throws Sabre_DAV_Exception_Forbidden
* @return null|string
*/
public function createFile($name, $data = null) {
+
+ if (!\OC\Files\Filesystem::isCreatable($this->path)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+
if (isset($_SERVER['HTTP_OC_CHUNKED'])) {
$info = OC_FileChunking::decodeName($name);
if (empty($info)) {
@@ -102,10 +108,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
* Creates a new subdirectory
*
* @param string $name
+ * @throws Sabre_DAV_Exception_Forbidden
* @return void
*/
public function createDirectory($name) {
+ if (!\OC\Files\Filesystem::isCreatable($this->path)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+
$newPath = $this->path . '/' . $name;
if(!\OC\Files\Filesystem::mkdir($newPath)) {
throw new Sabre_DAV_Exception_Forbidden('Could not create directory '.$newPath);
@@ -203,9 +214,13 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
* Deletes all files in this directory, and then itself
*
* @return void
+ * @throws Sabre_DAV_Exception_Forbidden
*/
public function delete() {
+ if (!\OC\Files\Filesystem::isDeletable($this->path)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
if ($this->path != "/Shared") {
foreach($this->getChildren() as $child) $child->delete();
\OC\Files\Filesystem::rmdir($this->path);
diff --git a/lib/connector/sabre/file.php b/lib/connector/sabre/file.php
index 91646312e901a6cdb77f4697908e876be8238e55..438d9871c228ef83851f87bf2497112b35528d46 100644
--- a/lib/connector/sabre/file.php
+++ b/lib/connector/sabre/file.php
@@ -41,24 +41,29 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
* return an ETag, and just return null.
*
* @param resource $data
+ * @throws Sabre_DAV_Exception_Forbidden
* @return string|null
*/
public function put($data) {
+ if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
+
// mark file as partial while uploading (ignored by the scanner)
$partpath = $this->path . '.part';
\OC\Files\Filesystem::file_put_contents($partpath, $data);
//detect aborted upload
- if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT' ) {
+ if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT') {
if (isset($_SERVER['CONTENT_LENGTH'])) {
$expected = $_SERVER['CONTENT_LENGTH'];
$actual = \OC\Files\Filesystem::filesize($partpath);
if ($actual != $expected) {
\OC\Files\Filesystem::unlink($partpath);
throw new Sabre_DAV_Exception_BadRequest(
- 'expected filesize ' . $expected . ' got ' . $actual);
+ 'expected filesize ' . $expected . ' got ' . $actual);
}
}
}
@@ -69,7 +74,7 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
//allow sync clients to send the mtime along in a header
$mtime = OC_Request::hasModificationTime();
if ($mtime !== false) {
- if(\OC\Files\Filesystem::touch($this->path, $mtime)) {
+ if (\OC\Files\Filesystem::touch($this->path, $mtime)) {
header('X-OC-MTime: accepted');
}
}
@@ -92,9 +97,13 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
* Delete the current file
*
* @return void
+ * @throws Sabre_DAV_Exception_Forbidden
*/
public function delete() {
+ if (!\OC\Files\Filesystem::isDeletable($this->path)) {
+ throw new \Sabre_DAV_Exception_Forbidden();
+ }
\OC\Files\Filesystem::unlink($this->path);
}