diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2014-02-18 15:32:57 +0400 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2014-02-20 14:28:20 +0400 |
| commit | 0b00057cf6cf95320da99c81f993ddea49156545 (patch) | |
| tree | c35cd4e56c28f54eaea033d9a2674cfea5d3ea69 | |
| parent | 382ddabf7556780797fafb54daddd3cf8c164330 (diff) | |
An admin should not be able to add remote and public services on its own. This should only be possible programmatically.
This change is due the fact that an admin may not be expected to execute arbitrary code in every environment.
| -rw-r--r-- | core/ajax/appconfig.php | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/core/ajax/appconfig.php b/core/ajax/appconfig.php index 4f26dedc797..6629d8a664b 100644 --- a/core/ajax/appconfig.php +++ b/core/ajax/appconfig.php @@ -9,28 +9,40 @@ OC_Util::checkAdminUser(); OCP\JSON::callCheck(); $action=isset($_POST['action'])?$_POST['action']:$_GET['action']; +$app=OC_App::cleanAppId(isset($_POST['app'])?$_POST['app']:$_GET['app']); + +// An admin should not be able to add remote and public services +// on its own. This should only be possible programmatically. +// This change is due the fact that an admin may not be expected +// to execute arbitrary code in every environment. +if($app === 'core' && (substr($_POST['key'],0,7) === 'remote_' || substr($_POST['key'],0,7) === 'public_')) { + OC_JSON::error(array('data' => array('message' => 'Unexpected error!'))); + return; +} + $result=false; switch($action) { case 'getValue': - $result=OC_Appconfig::getValue($_GET['app'], $_GET['key'], $_GET['defaultValue']); + $result=OC_Appconfig::getValue($app, $_GET['key'], $_GET['defaultValue']); break; case 'setValue': - $result=OC_Appconfig::setValue($_POST['app'], $_POST['key'], $_POST['value']); + $result=OC_Appconfig::setValue($app, $_POST['key'], $_POST['value']); break; case 'getApps': $result=OC_Appconfig::getApps(); break; case 'getKeys': - $result=OC_Appconfig::getKeys($_GET['app']); + $result=OC_Appconfig::getKeys($app); break; case 'hasKey': - $result=OC_Appconfig::hasKey($_GET['app'], $_GET['key']); + $result=OC_Appconfig::hasKey($app, $_GET['key']); break; case 'deleteKey': - $result=OC_Appconfig::deleteKey($_POST['app'], $_POST['key']); + $result=OC_Appconfig::deleteKey($app, $_POST['key']); break; case 'deleteApp': - $result=OC_Appconfig::deleteApp($_POST['app']); + $result=OC_Appconfig::deleteApp($app); break; } OC_JSON::success(array('data'=>$result)); + |