diff options
author | Morris Jobke <hey@morrisjobke.de> | 2015-07-27 14:03:13 +0300 |
---|---|---|
committer | Morris Jobke <hey@morrisjobke.de> | 2015-07-27 14:03:13 +0300 |
commit | b186a7822c0ce1c16f8e76d9925d01850d235772 (patch) | |
tree | 9baf90328b9ed389a4049b49c44db6f2fff67185 | |
parent | 385aefdc8fcb059a1757cc6f6100d92f85ef22dc (diff) | |
parent | 11dc65e76c096c7169cbf25f9b24925fb8f62c14 (diff) |
Merge pull request #17897 from owncloud/backport-scan-check-path-stable8
[stable8] Backport scan check path stable8
-rw-r--r-- | lib/private/files/utils/scanner.php | 3 | ||||
-rw-r--r-- | tests/lib/files/utils/scanner.php | 28 |
2 files changed, 31 insertions, 0 deletions
diff --git a/lib/private/files/utils/scanner.php b/lib/private/files/utils/scanner.php index 662d4ac03c7..d04dbd2bd72 100644 --- a/lib/private/files/utils/scanner.php +++ b/lib/private/files/utils/scanner.php @@ -115,6 +115,9 @@ class Scanner extends PublicEmitter { * @throws \OC\ForbiddenException */ public function scan($dir = '') { + if (!Filesystem::isValidPath($dir)) { + throw new \InvalidArgumentException('Invalid path to scan'); + } $mounts = $this->getMounts($dir); foreach ($mounts as $mount) { if (is_null($mount->getStorage())) { diff --git a/tests/lib/files/utils/scanner.php b/tests/lib/files/utils/scanner.php index 65ddfe47514..67282713731 100644 --- a/tests/lib/files/utils/scanner.php +++ b/tests/lib/files/utils/scanner.php @@ -150,4 +150,32 @@ class Scanner extends \Test\TestCase { $newInfo = $cache->get(''); $this->assertNotEquals($oldInfo['etag'], $newInfo['etag']); } + + /** + * @return array + */ + public function invalidPathProvider() { + return [ + [ + '../', + ], + [ + '..\\', + ], + [ + '../..\\../', + ], + ]; + } + + /** + * @dataProvider invalidPathProvider + * @expectedException \InvalidArgumentException + * @expectedExceptionMessage Invalid path to scan + * @param string $invalidPath + */ + public function testInvalidPathScanning($invalidPath) { + $scanner = new TestScanner('', \OC::$server->getDatabaseConnection()); + $scanner->scan($invalidPath); + } } |