Commit 4bac5950 authored by Thomas Müller's avatar Thomas Müller
Browse files

adding storage specific filename verification - refs #13640

parent 348fe105
......@@ -10,7 +10,7 @@ global $eventSource;
// Get the params
$dir = isset( $_REQUEST['dir'] ) ? '/'.trim((string)$_REQUEST['dir'], '/\\') : '';
$filename = isset( $_REQUEST['filename'] ) ? trim((string)$_REQUEST['filename'], '/\\') : '';
$fileName = isset( $_REQUEST['filename'] ) ? trim((string)$_REQUEST['filename'], '/\\') : '';
$l10n = \OC::$server->getL10N('files');
......@@ -18,23 +18,14 @@ $result = array(
'success' => false,
'data' => NULL
);
$trimmedFileName = trim($filename);
if($trimmedFileName === '') {
$result['data'] = array('message' => (string)$l10n->t('File name cannot be empty.'));
try {
\OC\Files\Filesystem::getView()->verifyPath($dir, $fileName);
} catch (\OCP\Files\InvalidPathException $ex) {
$result['data'] = [
'message' => $ex->getMessage()];
OCP\JSON::error($result);
exit();
}
if($trimmedFileName === '.' || $trimmedFileName === '..') {
$result['data'] = array('message' => (string)$l10n->t('"%s" is an invalid file name.', $trimmedFileName));
OCP\JSON::error($result);
exit();
}
if(!OCP\Util::isValidFileName($filename)) {
$result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed."));
OCP\JSON::error($result);
exit();
return;
}
if (!\OC\Files\Filesystem::file_exists($dir . '/')) {
......@@ -46,12 +37,12 @@ if (!\OC\Files\Filesystem::file_exists($dir . '/')) {
exit();
}
$target = $dir.'/'.$filename;
$target = $dir.'/'.$fileName;
if (\OC\Files\Filesystem::file_exists($target)) {
$result['data'] = array('message' => (string)$l10n->t(
'The name %s is already used in the folder %s. Please choose a different name.',
array($filename, $dir))
array($fileName, $dir))
);
OCP\JSON::error($result);
exit();
......
......@@ -9,7 +9,7 @@ OCP\JSON::callCheck();
// Get the params
$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : '';
$foldername = isset($_POST['foldername']) ?(string) $_POST['foldername'] : '';
$folderName = isset($_POST['foldername']) ?(string) $_POST['foldername'] : '';
$l10n = \OC::$server->getL10N('files');
......@@ -18,16 +18,13 @@ $result = array(
'data' => NULL
);
if(trim($foldername) === '') {
$result['data'] = array('message' => $l10n->t('Folder name cannot be empty.'));
try {
\OC\Files\Filesystem::getView()->verifyPath($dir, $folderName);
} catch (\OCP\Files\InvalidPathException $ex) {
$result['data'] = [
'message' => $ex->getMessage()];
OCP\JSON::error($result);
exit();
}
if(!OCP\Util::isValidFileName($foldername)) {
$result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed."));
OCP\JSON::error($result);
exit();
return;
}
if (!\OC\Files\Filesystem::file_exists($dir . '/')) {
......@@ -39,12 +36,12 @@ if (!\OC\Files\Filesystem::file_exists($dir . '/')) {
exit();
}
$target = $dir . '/' . $foldername;
$target = $dir . '/' . $folderName;
if (\OC\Files\Filesystem::file_exists($target)) {
$result['data'] = array('message' => $l10n->t(
'The name %s is already used in the folder %s. Please choose a different name.',
array($foldername, $dir))
array($folderName, $dir))
);
OCP\JSON::error($result);
exit();
......@@ -52,9 +49,9 @@ if (\OC\Files\Filesystem::file_exists($target)) {
if(\OC\Files\Filesystem::mkdir($target)) {
if ( $dir !== '/') {
$path = $dir.'/'.$foldername;
$path = $dir.'/'.$folderName;
} else {
$path = '/'.$foldername;
$path = '/'.$folderName;
}
$meta = \OC\Files\Filesystem::getFileInfo($path);
$meta['type'] = 'dir'; // missing ?!
......
......@@ -103,13 +103,13 @@
throw t('files', 'File name cannot be empty.');
}
// check for invalid characters
var invalidCharacters =
['\\', '/', '<', '>', ':', '"', '|', '?', '*', '\n'];
for (var i = 0; i < invalidCharacters.length; i++) {
if (trimmedName.indexOf(invalidCharacters[i]) !== -1) {
throw t('files', "Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed.");
}
}
//var invalidCharacters =
// ['\\', '/', '<', '>', ':', '"', '|', '?', '*', '\n'];
//for (var i = 0; i < invalidCharacters.length; i++) {
// if (trimmedName.indexOf(invalidCharacters[i]) !== -1) {
// throw t('files', "Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed.");
// }
//}
return true;
},
displayStorageWarnings: function() {
......
<?php
/**
* Copyright (c) 2015 Thomas Müller <deepdiver@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file. */
class OC_Connector_Sabre_Exception_InvalidPath extends \Sabre\DAV\Exception {
/**
* @var bool
*/
private $retry;
/**
* @param string $message
* @param bool $retry
*/
public function __construct($message, $retry = false) {
parent::__construct($message);
$this->retry = $retry;
}
/**
* Returns the HTTP status code for this exception
*
* @return int
*/
public function getHTTPCode() {
return 400;
}
/**
* This method allows the exception to include additional information into the WebDAV error response
*
* @param \Sabre\DAV\Server $server
* @param \DOMElement $errorNode
* @return void
*/
public function serialize(\Sabre\DAV\Server $server,\DOMElement $errorNode) {
// set owncloud namespace
$errorNode->setAttribute('xmlns:o', OC_Connector_Sabre_FilesPlugin::NS_OWNCLOUD);
// adding the retry node
$error = $errorNode->ownerDocument->createElementNS('o:','o:retry', var_export($this->retry, true));
$errorNode->appendChild($error);
// adding the message node
$error = $errorNode->ownerDocument->createElementNS('o:','o:reason', $this->getMessage());
$errorNode->appendChild($error);
}
}
......@@ -66,17 +66,15 @@ class File extends \OC\Connector\Sabre\Node implements \Sabre\DAV\IFile {
throw new \Sabre\DAV\Exception\ServiceUnavailable("Encryption is disabled");
}
$fileName = basename($this->info->getPath());
if (!\OCP\Util::isValidFileName($fileName)) {
throw new \Sabre\DAV\Exception\BadRequest();
}
// verify path of the target
$this->verifyPath();
// chunked handling
if (isset($_SERVER['HTTP_OC_CHUNKED'])) {
return $this->createFileChunked($data);
}
list($storage,) = $this->fileView->resolvePath($this->path);
list($storage) = $this->fileView->resolvePath($this->path);
$needsPartFile = $this->needsPartFile($storage) && (strlen($this->path) > 1);
if ($needsPartFile) {
......@@ -329,5 +327,5 @@ class File extends \OC\Connector\Sabre\Node implements \Sabre\DAV\IFile {
// and/or add method on Storage called "needsPartFile()"
return !$storage->instanceOfStorage('OCA\Files_Sharing\External\Storage') &&
!$storage->instanceOfStorage('OC\Files\Storage\OwnCloud');
}
}
}
......@@ -103,9 +103,8 @@ abstract class Node implements \Sabre\DAV\INode {
list($parentPath,) = \Sabre\HTTP\URLUtil::splitPath($this->path);
list(, $newName) = \Sabre\HTTP\URLUtil::splitPath($name);
if (!\OCP\Util::isValidFileName($newName)) {
throw new \Sabre\DAV\Exception\BadRequest();
}
// verify path of the target
$this->verifyPath();
$newPath = $parentPath . '/' . $newName;
......@@ -230,4 +229,13 @@ abstract class Node implements \Sabre\DAV\INode {
}
return $p;
}
protected function verifyPath() {
try {
$fileName = basename($this->info->getPath());
$this->fileView->verifyPath($this->path, $fileName);
} catch (\OCP\Files\InvalidPathException $ex) {
throw new OC_Connector_Sabre_Exception_InvalidPath($ex->getMessage());
}
}
}
......@@ -11,6 +11,7 @@ namespace OC\Connector\Sabre;
use OC\Files\FileInfo;
use OC\Files\Filesystem;
use OC\Files\Mount\MoveableMount;
use OC_Connector_Sabre_Exception_InvalidPath;
use OCP\Files\StorageInvalidException;
use OCP\Files\StorageNotAvailableException;
......@@ -185,8 +186,10 @@ class ObjectTree extends \Sabre\DAV\Tree {
}
$fileName = basename($destinationPath);
if (!\OCP\Util::isValidFileName($fileName)) {
throw new \Sabre\DAV\Exception\BadRequest();
try {
$this->fileView->verifyPath($destinationDir, $fileName);
} catch (\OCP\Files\InvalidPathException $ex) {
throw new OC_Connector_Sabre_Exception_InvalidPath($ex->getMessage());
}
$renameOkay = $this->fileView->rename($sourcePath, $destinationPath);
......
......@@ -8,8 +8,12 @@
namespace OC\Files\Storage;
use OC\Files\Cache\Cache;
use OC\Files\Cache\Scanner;
use OC\Files\Cache\Storage;
use OC\Files\Filesystem;
use OC\Files\Cache\Watcher;
use OCP\Files\InvalidPathException;
/**
* Storage backend class for providing common filesystem operation methods
......@@ -25,7 +29,6 @@ use OC\Files\Cache\Watcher;
abstract class Common implements \OC\Files\Storage\Storage {
protected $cache;
protected $scanner;
protected $permissioncache;
protected $watcher;
protected $storageCache;
......@@ -303,7 +306,7 @@ abstract class Common implements \OC\Files\Storage\Storage {
$storage = $this;
}
if (!isset($this->cache)) {
$this->cache = new \OC\Files\Cache\Cache($storage);
$this->cache = new Cache($storage);
}
return $this->cache;
}
......@@ -313,7 +316,7 @@ abstract class Common implements \OC\Files\Storage\Storage {
$storage = $this;
}
if (!isset($this->scanner)) {
$this->scanner = new \OC\Files\Cache\Scanner($storage);
$this->scanner = new Scanner($storage);
}
return $this->scanner;
}
......@@ -323,7 +326,7 @@ abstract class Common implements \OC\Files\Storage\Storage {
$storage = $this;
}
if (!isset($this->watcher)) {
$this->watcher = new \OC\Files\Cache\Watcher($storage);
$this->watcher = new Watcher($storage);
$this->watcher->setPolicy(\OC::$server->getConfig()->getSystemValue('filesystem_check_changes', Watcher::CHECK_ONCE));
}
return $this->watcher;
......@@ -334,7 +337,7 @@ abstract class Common implements \OC\Files\Storage\Storage {
$storage = $this;
}
if (!isset($this->storageCache)) {
$this->storageCache = new \OC\Files\Cache\Storage($storage);
$this->storageCache = new Storage($storage);
}
return $this->storageCache;
}
......@@ -451,4 +454,58 @@ abstract class Common implements \OC\Files\Storage\Storage {
return [];
}
/**
* @inheritdoc
*/
public function verifyPath($path, $fileName) {
// NOTE: $path will remain unverified for now
if (\OC_Util::runningOnWindows()) {
$this->verifyWindowsPath($fileName);
} else {
$this->verifyPosixPath($fileName);
}
}
/**
* https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx
* @param string $fileName
* @throws InvalidPathException
*/
private function verifyWindowsPath($fileName) {
$fileName = trim($fileName);
$this->scanForInvalidCharacters($fileName, "\\/<>:\"|?*");
$reservedNames = ['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9'];
if (in_array(strtoupper($fileName), $reservedNames)) {
throw new InvalidPathException("File name is a reserved word");
}
}
/**
* @param string $fileName
* @throws InvalidPathException
*/
private function verifyPosixPath($fileName) {
$fileName = trim($fileName);
$this->scanForInvalidCharacters($fileName, "\\/");
$reservedNames = ['*'];
if (in_array($fileName, $reservedNames)) {
throw new InvalidPathException("File name is a reserved word");
}
}
/**
* @param $fileName
* @throws InvalidPathException
*/
private function scanForInvalidCharacters($fileName, $invalidChars) {
foreach (str_split($fileName) as $char) {
if (strpos($invalidChars, $char) !== false) {
throw new InvalidPathException('File name contains at least one invalid characters');
}
if (ord($char) >= 0 && ord($char) <= 31) {
throw new InvalidPathException('File name contains at least one invalid characters');
}
}
}
}
......@@ -8,6 +8,8 @@
namespace OC\Files\Storage\Wrapper;
use OCP\Files\InvalidPathException;
class Wrapper implements \OC\Files\Storage\Storage {
/**
* @var \OC\Files\Storage\Storage $storage
......@@ -477,4 +479,14 @@ class Wrapper implements \OC\Files\Storage\Storage {
public function getDirectDownload($path) {
return $this->storage->getDirectDownload($path);
}
/**
* @param string $path the path of the target folder
* @param string $fileName the name of the file itself
* @return void
* @throws InvalidPathException
*/
public function verifyPath($path, $fileName) {
$this->storage->verifyPath($path, $fileName);
}
}
......@@ -11,6 +11,7 @@ namespace OC\Files;
use OC\Files\Cache\Updater;
use OC\Files\Mount\MoveableMount;
use OCP\Files\InvalidPathException;
/**
* Class to provide access to ownCloud filesystem via a "view", and methods for
......@@ -29,11 +30,10 @@ use OC\Files\Mount\MoveableMount;
* \OC\Files\Storage\Storage object
*/
class View {
/** @var string */
private $fakeRoot = '';
/**
* @var \OC\Files\Cache\Updater
*/
/** @var \OC\Files\Cache\Updater */
protected $updater;
/**
......@@ -116,7 +116,7 @@ class View {
* get the mountpoint of the storage object for a path
* ( note: because a storage is not always mounted inside the fakeroot, the
* returned mountpoint is relative to the absolute root of the filesystem
* and doesn't take the chroot into account )
* and does not take the chroot into account )
*
* @param string $path
* @return string
......@@ -129,7 +129,7 @@ class View {
* get the mountpoint of the storage object for a path
* ( note: because a storage is not always mounted inside the fakeroot, the
* returned mountpoint is relative to the absolute root of the filesystem
* and doesn't take the chroot into account )
* and does not take the chroot into account )
*
* @param string $path
* @return \OCP\Files\Mount\IMountPoint
......@@ -1532,7 +1532,32 @@ class View {
/**
* @return Updater
*/
public function getUpdater(){
public function getUpdater() {
return $this->updater;
}
public function verifyPath($path, $fileName) {
// verify empty and dot files
$trimmed = trim($fileName);
if ($trimmed === '') {
throw new InvalidPathException('Empty filename is not allowed');
}
if ($trimmed === '.' || $trimmed === '..') {
throw new InvalidPathException('Dot files are not allowed');
}
// verify database - e.g. mysql only 3-byte chars
if (preg_match('%^(?:
\xF0[\x90-\xBF][\x80-\xBF]{2} # planes 1-3
| [\xF1-\xF3][\x80-\xBF]{3} # planes 4-15
| \xF4[\x80-\x8F][\x80-\xBF]{2} # plane 16
)*$%xs', $fileName)) {
throw new InvalidPathException('4-byte characters are not supported in file names');
}
/** @type \OCP\Files\Storage $storage */
list($storage, $internalPath) = $this->resolvePath($path);
$storage->verifyPath($internalPath, $fileName);
}
}
......@@ -28,6 +28,7 @@
// use OCP namespace for all classes that are considered public.
// This means that they should be used by apps instead of the internal ownCloud classes
namespace OCP\Files;
use OCP\Files\InvalidPathException;
/**
* Provide a common interface to all different storage options
......@@ -345,4 +346,12 @@ interface Storage {
* @return array|false
*/
public function getDirectDownload($path);
/**
* @param string $path the path of the target folder
* @param string $fileName the name of the file itself
* @return void
* @throws InvalidPathException
*/
public function verifyPath($path, $fileName);
}
<?php
/**
* Copyright (c) 2015 Thomas Müller <deepdiver@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file.
*/
class Test_OC_Connector_Sabre_Exception_InvalidPath extends \Test\TestCase {
public function testSerialization() {
// create xml doc
$DOM = new \DOMDocument('1.0','utf-8');
$DOM->formatOutput = true;
$error = $DOM->createElementNS('DAV:','d:error');
$error->setAttribute('xmlns:s', Sabre\DAV\Server::NS_SABREDAV);
$DOM->appendChild($error);
// serialize the exception
$message = "1234567890";
$retry = false;
$expectedXml = <<<EOD
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns">
<o:retry xmlns:o="o:">false</o:retry>
<o:reason xmlns:o="o:">1234567890</o:reason>
</d:error>
EOD;
$ex = new OC_Connector_Sabre_Exception_InvalidPath($message, $retry);
$server = $this->getMock('Sabre\DAV\Server');
$ex->serialize($server, $error);
// assert
$xml = $DOM->saveXML();
$this->assertEquals($expectedXml, $xml);
}
}
<?php
/**
* Copyright (c) 2015 Thomas Müller <deepdiver@owncloud.com>
* This file is licensed under the Affero General Public License version 3 or
* later.
* See the COPYING-README file. */
namespace Test\Files;
use OC\Files\Storage\Local;
use OC\Files\View;
class PathVerification extends \Test\TestCase {
/**
* @var \OC\Files\View
*/
private $view;
protected function setUp() {
parent::setUp();
$this->view = new View();
}
/**
* @dataProvider providesEmptyFiles
* @expectedException \OCP\Files\InvalidPathException
* @expectedExceptionMessage Empty filename is not allowed
*/
public function testPathVerificationEmptyFileName($fileName) {
$this->view->verifyPath('', $fileName);
}
public function providesEmptyFiles() {
return [
[''],
[' '],
];
}
/**
* @dataProvider providesDotFiles
* @expectedException \OCP\Files\InvalidPathException
* @expectedExceptionMessage Dot files are not allowed
*/
public function testPathVerificationDotFiles($fileName) {
$this->view->verifyPath('', $fileName);
}
public function providesDotFiles() {
return [
['.'],
['..'],
[' .'],
[' ..'],
['. '],
['.. '],
[' . '],
[' .. '],
];
}
/**
* @dataProvider providesAstralPlane
* @expectedException \OCP\Files\InvalidPathException
* @expectedExceptionMessage 4-byte characters are not supported in file names
*/
public function testPathVerificationAstralPlane($fileName) {
$this->view->verifyPath('', $fileName);
}
public function providesAstralPlane() {
return [