Commit a7df23ce authored by Lukas Reschke's avatar Lukas Reschke
Browse files

Manually type-case all AJAX files

This enforces proper types on POST and GET arguments where I considered it sensible. I didn't update some as I don't know what kind of values they would support 🙈

Fixes https://github.com/owncloud/core/issues/14196 for core
parent 51f8d240
......@@ -6,18 +6,18 @@ OCP\JSON::callCheck();
// Get data
$dir = isset($_POST['dir']) ? $_POST['dir'] : '';
$allFiles = isset($_POST["allfiles"]) ? $_POST["allfiles"] : false;
$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : '';
$allFiles = isset($_POST["allfiles"]) ? (bool)$_POST["allfiles"] : false;
// delete all files in dir ?
if ($allFiles === 'true') {
if ($allFiles === true) {
$files = array();
$fileList = \OC\Files\Filesystem::getDirectoryContent($dir);
foreach ($fileList as $fileInfo) {
$files[] = $fileInfo['name'];
}
} else {
$files = isset($_POST["file"]) ? $_POST["file"] : $_POST["files"];
$files = isset($_POST["file"]) ? (string)$_POST["file"] : (string)$_POST["files"];
$files = json_decode($files);
}
$filesWithError = '';
......
......@@ -25,8 +25,8 @@
OCP\User::checkLoggedIn();
\OC::$server->getSession()->close();
$files = isset($_GET['files']) ? $_GET['files'] : '';
$dir = isset($_GET['dir']) ? $_GET['dir'] : '';
$files = isset($_GET['files']) ? (string)$_GET['files'] : '';
$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : '';
$files_list = json_decode($files);
// in case we get only a single file
......
......@@ -3,7 +3,7 @@
$dir = '/';
if (isset($_GET['dir'])) {
$dir = $_GET['dir'];
$dir = (string)$_GET['dir'];
}
OCP\JSON::checkLoggedIn();
......
......@@ -5,7 +5,7 @@ OCP\JSON::checkLoggedIn();
$l = \OC::$server->getL10N('files');
// Load the files
$dir = isset($_GET['dir']) ? $_GET['dir'] : '';
$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : '';
$dir = \OC\Files\Filesystem::normalizePath($dir);
try {
......@@ -20,7 +20,7 @@ try {
$permissions = $dirInfo->getPermissions();
$sortAttribute = isset($_GET['sort']) ? $_GET['sort'] : 'name';
$sortAttribute = isset($_GET['sort']) ? (string)$_GET['sort'] : 'name';
$sortDirection = isset($_GET['sortdirection']) ? ($_GET['sortdirection'] === 'desc') : false;
// make filelist
......
<?php
\OC::$server->getSession()->close();
$mime = isset($_GET['mime']) ? $_GET['mime'] : '';
$mime = isset($_GET['mime']) ? (string)$_GET['mime'] : '';
print OC_Helper::mimetypeIcon($mime);
......@@ -5,9 +5,9 @@ OCP\JSON::callCheck();
\OC::$server->getSession()->close();
// Get data
$dir = isset($_POST['dir']) ? $_POST['dir'] : '';
$file = isset($_POST['file']) ? $_POST['file'] : '';
$target = isset($_POST['target']) ? rawurldecode($_POST['target']) : '';
$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : '';
$file = isset($_POST['file']) ? (string)$_POST['file'] : '';
$target = isset($_POST['target']) ? rawurldecode((string)$_POST['target']) : '';
$l = \OC::$server->getL10N('files');
......
......@@ -9,10 +9,10 @@ global $eventSource;
\OC::$server->getSession()->close();
// Get the params
$dir = isset( $_REQUEST['dir'] ) ? '/'.trim($_REQUEST['dir'], '/\\') : '';
$filename = isset( $_REQUEST['filename'] ) ? trim($_REQUEST['filename'], '/\\') : '';
$content = isset( $_REQUEST['content'] ) ? $_REQUEST['content'] : '';
$source = isset( $_REQUEST['source'] ) ? trim($_REQUEST['source'], '/\\') : '';
$dir = isset( $_REQUEST['dir'] ) ? '/'.trim((string)$_REQUEST['dir'], '/\\') : '';
$filename = isset( $_REQUEST['filename'] ) ? trim((string)$_REQUEST['filename'], '/\\') : '';
$content = isset( $_REQUEST['content'] ) ? (string)$_REQUEST['content'] : '';
$source = isset( $_REQUEST['source'] ) ? trim((string)$_REQUEST['source'], '/\\') : '';
if($source) {
$eventSource = \OC::$server->createEventSource();
......
......@@ -8,8 +8,8 @@ OCP\JSON::callCheck();
\OC::$server->getSession()->close();
// Get the params
$dir = isset($_POST['dir']) ? $_POST['dir'] : '';
$foldername = isset($_POST['foldername']) ? $_POST['foldername'] : '';
$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : '';
$foldername = isset($_POST['foldername']) ?(string) $_POST['foldername'] : '';
$l10n = \OC::$server->getL10N('files');
......
......@@ -30,9 +30,9 @@ $files = new \OCA\Files\App(
\OC::$server->getL10N('files')
);
$result = $files->rename(
isset($_GET['dir']) ? $_GET['dir'] : '',
isset($_GET['file']) ? $_GET['file'] : '',
isset($_GET['newname']) ? $_GET['newname'] : ''
isset($_GET['dir']) ? (string)$_GET['dir'] : '',
isset($_GET['file']) ? (string)$_GET['file'] : '',
isset($_GET['newname']) ? (string)$_GET['newname'] : ''
);
if($result['success'] === true){
......
......@@ -3,7 +3,7 @@ set_time_limit(0); //scanning can take ages
\OC::$server->getSession()->close();
$force = (isset($_GET['force']) and ($_GET['force'] === 'true'));
$dir = isset($_GET['dir']) ? $_GET['dir'] : '';
$dir = isset($_GET['dir']) ? (string)$_GET['dir'] : '';
if (isset($_GET['users'])) {
OC_JSON::checkAdminUser();
if ($_GET['users'] === 'all') {
......
......@@ -16,7 +16,7 @@ $l = \OC::$server->getL10N('files');
if (empty($_POST['dirToken'])) {
// The standard case, files are uploaded through logged in users :)
OCP\JSON::checkLoggedIn();
$dir = isset($_POST['dir']) ? $_POST['dir'] : "";
$dir = isset($_POST['dir']) ? (string)$_POST['dir'] : '';
if (!$dir || empty($dir) || $dir === false) {
OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Unable to set upload directory.')))));
die();
......@@ -30,9 +30,9 @@ if (empty($_POST['dirToken'])) {
// return only read permissions for public upload
$allowedPermissions = \OCP\Constants::PERMISSION_READ;
$publicDirectory = !empty($_POST['subdir']) ? $_POST['subdir'] : '/';
$publicDirectory = !empty($_POST['subdir']) ? (string)$_POST['subdir'] : '/';
$linkItem = OCP\Share::getShareByToken($_POST['dirToken']);
$linkItem = OCP\Share::getShareByToken((string)$_POST['dirToken']);
if ($linkItem === false) {
OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token')))));
die();
......
......@@ -43,7 +43,7 @@ $recoveryKeyId = \OC::$server->getAppConfig()->getValue('files_encryption', 'rec
if (isset($_POST['adminEnableRecovery']) && $_POST['adminEnableRecovery'] === '1') {
$return = Helper::adminEnableRecovery($recoveryKeyId, $_POST['recoveryPassword']);
$return = Helper::adminEnableRecovery($recoveryKeyId, (string)$_POST['recoveryPassword']);
// Return success or failure
if ($return) {
......@@ -57,7 +57,7 @@ if (isset($_POST['adminEnableRecovery']) && $_POST['adminEnableRecovery'] === '1
isset($_POST['adminEnableRecovery'])
&& '0' === $_POST['adminEnableRecovery']
) {
$return = Helper::adminDisableRecovery($_POST['recoveryPassword']);
$return = Helper::adminDisableRecovery((string)$_POST['recoveryPassword']);
if ($return) {
$successMessage = $l->t('Recovery key successfully disabled');
......
......@@ -17,9 +17,9 @@ $l = \OC::$server->getL10N('core');
$return = false;
$oldPassword = $_POST['oldPassword'];
$newPassword = $_POST['newPassword'];
$confirmPassword = $_POST['confirmPassword'];
$oldPassword = (string)$_POST['oldPassword'];
$newPassword = (string)$_POST['newPassword'];
$confirmPassword = (string)$_POST['confirmPassword'];
//check if both passwords are the same
if (empty($_POST['oldPassword'])) {
......
......@@ -11,8 +11,8 @@ use OCA\Files_Encryption\Util;
\OCP\JSON::checkAppEnabled('files_encryption');
$loginname = isset($_POST['user']) ? $_POST['user'] : '';
$password = isset($_POST['password']) ? $_POST['password'] : '';
$loginname = isset($_POST['user']) ? (string)$_POST['user'] : '';
$password = isset($_POST['password']) ? (string)$_POST['password'] : '';
$migrationStatus = Util::MIGRATION_COMPLETED;
......
......@@ -18,8 +18,8 @@ $l = \OC::$server->getL10N('core');
$return = false;
$errorMessage = $l->t('Could not update the private key password.');
$oldPassword = $_POST['oldPassword'];
$newPassword = $_POST['newPassword'];
$oldPassword = (string)$_POST['oldPassword'];
$newPassword = (string)$_POST['newPassword'];
$view = new \OC\Files\View('/');
$session = new \OCA\Files_Encryption\Session($view);
......
......@@ -23,7 +23,7 @@ if (
$util = new \OCA\Files_Encryption\Util($view, $userId);
// Save recovery preference to DB
$return = $util->setRecoveryForUser($_POST['userEnableRecovery']);
$return = $util->setRecoveryForUser((string)$_POST['userEnableRecovery']);
if ($_POST['userEnableRecovery'] === '1') {
$util->addRecoveryKeys();
......
......@@ -11,12 +11,12 @@ if ($_POST['isPersonal'] == 'true') {
$isPersonal = false;
}
$mountPoint = $_POST['mountPoint'];
$oldMountPoint = $_POST['oldMountPoint'];
$class = $_POST['class'];
$options = $_POST['classOptions'];
$type = $_POST['mountType'];
$applicable = $_POST['applicable'];
$mountPoint = (string)$_POST['mountPoint'];
$oldMountPoint = (string)$_POST['oldMountPoint'];
$class = (string)$_POST['class'];
$options = (string)$_POST['classOptions'];
$type = (string)$_POST['mountType'];
$applicable = (string)$_POST['applicable'];
if ($oldMountPoint and $oldMountPoint !== $mountPoint) {
OC_Mount_Config::removeMountPoint($oldMountPoint, $type, $applicable, $isPersonal);
......
......@@ -9,13 +9,13 @@ $pattern = '';
$limit = null;
$offset = null;
if (isset($_GET['pattern'])) {
$pattern = $_GET['pattern'];
$pattern = (string)$_GET['pattern'];
}
if (isset($_GET['limit'])) {
$limit = $_GET['limit'];
$limit = (int)$_GET['limit'];
}
if (isset($_GET['offset'])) {
$offset = $_GET['offset'];
$offset = (int)$_GET['offset'];
}
$groups = \OC_Group::getGroups($pattern, $limit, $offset);
......
......@@ -8,13 +8,13 @@ OCP\JSON::callCheck();
$l = \OC::$server->getL10N('files_external');
if (isset($_POST['app_key']) && isset($_POST['app_secret'])) {
$oauth = new Dropbox_OAuth_Curl($_POST['app_key'], $_POST['app_secret']);
$oauth = new Dropbox_OAuth_Curl((string)$_POST['app_key'], (string)$_POST['app_secret']);
if (isset($_POST['step'])) {
switch ($_POST['step']) {
case 1:
try {
if (isset($_POST['callback'])) {
$callback = $_POST['callback'];
$callback = (string)$_POST['callback'];
} else {
$callback = null;
}
......@@ -31,7 +31,7 @@ if (isset($_POST['app_key']) && isset($_POST['app_secret'])) {
case 2:
if (isset($_POST['request_token']) && isset($_POST['request_token_secret'])) {
try {
$oauth->setToken($_POST['request_token'], $_POST['request_token_secret']);
$oauth->setToken((string)$_POST['request_token'], (string)$_POST['request_token_secret']);
$token = $oauth->getAccessToken();
OCP\JSON::success(array('access_token' => $token['token'],
'access_token_secret' => $token['token_secret']));
......
......@@ -10,9 +10,9 @@ $l = \OC::$server->getL10N('files_external');
if (isset($_POST['client_id']) && isset($_POST['client_secret']) && isset($_POST['redirect'])) {
$client = new Google_Client();
$client->setClientId($_POST['client_id']);
$client->setClientSecret($_POST['client_secret']);
$client->setRedirectUri($_POST['redirect']);
$client->setClientId((string)$_POST['client_id']);
$client->setClientSecret((string)$_POST['client_secret']);
$client->setRedirectUri((string)$_POST['redirect']);
$client->setScopes(array('https://www.googleapis.com/auth/drive'));
$client->setAccessType('offline');
if (isset($_POST['step'])) {
......@@ -30,7 +30,7 @@ if (isset($_POST['client_id']) && isset($_POST['client_secret']) && isset($_POST
}
} else if ($step == 2 && isset($_POST['code'])) {
try {
$token = $client->authenticate($_POST['code']);
$token = $client->authenticate((string)$_POST['code']);
OCP\JSON::success(array('data' => array(
'token' => $token
)));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment