Merge pull request #191 from owncloud/stable8-verify-pathv8.0.5betav8.0.5RC1

[stable8] Verify if path exists before processing

4 files changed, 12 insertions, 0 deletions

diff --git a/ajax/batch.php b/ajax/batch.php
index eb1a7f17..164f78e4 100644
--- a/ajax/batch.php
+++ b/ajax/batch.php
@@ -27,6 +27,9 @@ if (!empty($_GET['token'])) {
 	OC_Util::setupFS($user);
 
 	$root = \OC\Files\Filesystem::getPath($linkItem['file_source']) . '/';
+	if($root === null) {
+		exit();
+	}
 	$images = array_map(function ($image) use ($root) {
 		return $root . $image;
 	}, $images);
diff --git a/ajax/getimages.php b/ajax/getimages.php
index 9c8a7cd5..40ce0154 100644
--- a/ajax/getimages.php
+++ b/ajax/getimages.php
@@ -28,6 +28,9 @@ if (isset($_GET['token'])) {
 
 		// The token defines the target directory (security reasons)
 		$path = \OC\Files\Filesystem::getPath($linkItem['file_source']);
+		if($path === null) {
+			exit();
+		}
 
 		$view = new \OC\Files\View(\OC\Files\Filesystem::getView()->getAbsolutePath($path));
 		$images = $view->searchByMime('image');
diff --git a/ajax/image.php b/ajax/image.php
index 49c132ca..d29030ef 100644
--- a/ajax/image.php
+++ b/ajax/image.php
@@ -26,6 +26,9 @@ if (!empty($_GET['token'])) {
 	OC_User::setIncognitoMode(true);
 
 	$fullPath = \OC\Files\Filesystem::getPath($linkItem['file_source']);
+	if($fullPath === null) {
+		exit();
+	}
 	$img = trim($fullPath . '/' . $img);
 } else {
 	OCP\JSON::checkLoggedIn();
diff --git a/ajax/thumbnail.php b/ajax/thumbnail.php
index e983fe59..b40ed542 100644
--- a/ajax/thumbnail.php
+++ b/ajax/thumbnail.php
@@ -27,6 +27,9 @@ if (!empty($_GET['token'])) {
 	OC_Util::setupFS($user);
 
 	$fullPath = \OC\Files\Filesystem::getPath($linkItem['file_source']);
+	if($fullPath === null) {
+		exit();
+	}
 	$img = trim($fullPath . '/' . $img);
 } else {
 	OCP\JSON::checkLoggedIn();