diff options
| author | Thomas Tanghus <thomas@tanghus.net> | 2013-03-09 22:26:31 +0400 |
|---|---|---|
| committer | Thomas Tanghus <thomas@tanghus.net> | 2013-03-09 22:26:31 +0400 |
| commit | fae5bd363b4cc3bd00d1a983ca5aff4a0eb86408 (patch) | |
| tree | 308b5c81a724181b4542b87611ec1042c611a224 | |
| parent | 1ab308446ebbb7ea43d6b2f4c4a869d648cf20a3 (diff) | |
Contacts: Backport filename sanitation and blacklist checking to stable4.
| -rw-r--r-- | apps/contacts/ajax/uploadimport.php | 8 | ||||
| -rw-r--r-- | apps/contacts/import.php | 15 |
2 files changed, 18 insertions, 5 deletions
diff --git a/apps/contacts/ajax/uploadimport.php b/apps/contacts/ajax/uploadimport.php index 4c3f5eadf08..56a966b6a12 100644 --- a/apps/contacts/ajax/uploadimport.php +++ b/apps/contacts/ajax/uploadimport.php @@ -35,7 +35,11 @@ $tmpfile = md5(rand()); // If it is a Drag'n'Drop transfer it's handled here. $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false); +$fn = strtr($fn, array('/' => '', "\\" => '')); if($fn) { + if(OC_Filesystem::isFileBlacklisted($fn)) { + bailOut($l10n->t('Upload of blacklisted file:') . $fn); + } if($view->file_put_contents('/'.$tmpfile, file_get_contents('php://input'))) { OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile))); exit(); @@ -66,6 +70,10 @@ $file=$_FILES['importfile']; $tmpfname = tempnam(get_temp_dir(), "occOrig"); if(file_exists($file['tmp_name'])) { + $filename = strtr($file['name'], array('/' => '', "\\" => '')); + if(OC_Filesystem::isFileBlacklisted($filename)) { + bailOut($l10n->t('Upload of blacklisted file:') . $filename); + } if($view->file_put_contents('/'.$tmpfile, file_get_contents($file['tmp_name']))) { OCP\JSON::success(array('data' => array('path'=>'', 'file'=>$tmpfile))); } else { diff --git a/apps/contacts/import.php b/apps/contacts/import.php index 85d4cebeb02..ffdc4381636 100644 --- a/apps/contacts/import.php +++ b/apps/contacts/import.php @@ -25,11 +25,16 @@ function writeProgress($pct) { } writeProgress('10'); $view = $file = null; +$inputfile = strtr($_POST['file'], array('/' => '', "\\" => '')); +if(OC_Filesystem::isFileBlacklisted($inputfile)) { + OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $inputfile))); + exit(); +} if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') { $view = OCP\Files::getStorage('contacts'); - $file = $view->file_get_contents('/' . $_POST['file']); + $file = $view->file_get_contents('/' . $inputfile); } else { - $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $_POST['file']); + $file = OC_Filesystem::file_get_contents($_POST['path'] . '/' . $inputfile); } if(!$file) { OCP\JSON::error(array('message' => 'Import file was empty.')); @@ -115,7 +120,7 @@ if(count($parts) == 1){ $imported = 0; $failed = 0; if(!count($importready) > 0) { - OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$_POST['file'].' Please check if the file is corrupted.')))); + OCP\JSON::error(array('data' => (array('message' => 'No contacts to import in .'.$inputfile.' Please check if the file is corrupted.')))); exit(); } foreach($importready as $import){ @@ -135,8 +140,8 @@ if(is_writable('import_tmp/')){ unlink($progressfile); } if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') { - if(!$view->unlink('/' . $_POST['file'])) { - OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $_POST['file'], OCP\Util::ERROR); + if(!$view->unlink('/' . $inputfile)) { + OCP\Util::writeLog('contacts','Import: Error unlinking OC_FilesystemView ' . '/' . $inputfile, OCP\Util::ERROR); } } OCP\JSON::success(array('data' => array('imported'=>$imported, 'failed'=>$failed))); |