diff options
author | Vincent Petry <pvince81@owncloud.com> | 2016-10-20 18:13:26 +0300 |
---|---|---|
committer | Thomas Müller <DeepDiver1975@users.noreply.github.com> | 2016-10-20 18:13:26 +0300 |
commit | 5a7be627970d49de6cfdb1270ce0bae2a1459e4e (patch) | |
tree | d872c96d81ae9b896ab11950f6e1ccadd6937492 | |
parent | 9909e66d515252a06731bae34595ab17574b4007 (diff) |
Sanitize length headers when validating quota (#26421)
-rw-r--r-- | lib/private/connector/sabre/quotaplugin.php | 5 | ||||
-rw-r--r-- | tests/lib/connector/sabre/quotaplugin.php | 20 |
2 files changed, 16 insertions, 9 deletions
diff --git a/lib/private/connector/sabre/quotaplugin.php b/lib/private/connector/sabre/quotaplugin.php index 59d0e188f66..46535da4f7e 100644 --- a/lib/private/connector/sabre/quotaplugin.php +++ b/lib/private/connector/sabre/quotaplugin.php @@ -85,12 +85,13 @@ class OC_Connector_Sabre_QuotaPlugin extends \Sabre\DAV\ServerPlugin { public function getLength() { $req = $this->server->httpRequest; $length = $req->getHeader('X-Expected-Entity-Length'); - if (!$length) { + if (!is_numeric($length)) { $length = $req->getHeader('Content-Length'); + $length = is_numeric($length) ? $length : null; } $ocLength = $req->getHeader('OC-Total-Length'); - if ($length && $ocLength) { + if (is_numeric($length) && is_numeric($ocLength)) { return max($length, $ocLength); } diff --git a/tests/lib/connector/sabre/quotaplugin.php b/tests/lib/connector/sabre/quotaplugin.php index f08637854ce..002cc280649 100644 --- a/tests/lib/connector/sabre/quotaplugin.php +++ b/tests/lib/connector/sabre/quotaplugin.php @@ -80,13 +80,19 @@ class Test_OC_Connector_Sabre_QuotaPlugin extends \Test\TestCase { } public function lengthProvider() { - return array( - array(null, array()), - array(1024, array('HTTP_X_EXPECTED_ENTITY_LENGTH' => '1024')), - array(512, array('HTTP_CONTENT_LENGTH' => '512')), - array(2048, array('HTTP_OC_TOTAL_LENGTH' => '2048', 'HTTP_CONTENT_LENGTH' => '1024')), - array(4096, array('HTTP_OC_TOTAL_LENGTH' => '2048', 'HTTP_X_EXPECTED_ENTITY_LENGTH' => '4096')), - ); + return [ + [null, []], + [1024, ['HTTP_X_EXPECTED_ENTITY_LENGTH' => '1024']], + [512, ['HTTP_CONTENT_LENGTH' => '512']], + [2048, ['HTTP_OC_TOTAL_LENGTH' => '2048', 'HTTP_CONTENT_LENGTH' => '1024']], + [4096, ['HTTP_OC_TOTAL_LENGTH' => '2048', 'HTTP_X_EXPECTED_ENTITY_LENGTH' => '4096']], + [null, ['HTTP_X_EXPECTED_ENTITY_LENGTH' => 'A']], + [null, ['HTTP_CONTENT_LENGTH' => 'A']], + [1024, ['HTTP_OC_TOTAL_LENGTH' => 'A', 'HTTP_CONTENT_LENGTH' => '1024']], + [1024, ['HTTP_OC_TOTAL_LENGTH' => 'A', 'HTTP_X_EXPECTED_ENTITY_LENGTH' => '1024']], + [null, ['HTTP_OC_TOTAL_LENGTH' => '2048', 'HTTP_X_EXPECTED_ENTITY_LENGTH' => 'A']], + [null, ['HTTP_OC_TOTAL_LENGTH' => '2048', 'HTTP_CONTENT_LENGTH' => 'A']], + ]; } private function buildFileViewMock($quota) { |