diff options
| author | Vincent Petry <vincent@nextcloud.com> | 2021-10-22 10:56:21 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-22 10:56:21 +0300 |
| commit | a080c08d64d38cd18e29a4d785cee4c8b6c4ee36 (patch) | |
| tree | 51ecd4677215374d07abd48928adbc006bae4816 /lib | |
| parent | 884fcf0227791f3f39332ada71ae1f0570e01447 (diff) | |
| parent | ec8b2a90e6217e44736e33d924da06bcd35bbca0 (diff) | |
Merge pull request #29367 from nextcloud/backport/29362/stable21
[stable21] Fix security issues when copying groupfolder with advanced ACL
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Files/Storage/Local.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php index 0032ca46446..22c9418d19f 100644 --- a/lib/private/Files/Storage/Local.php +++ b/lib/private/Files/Storage/Local.php @@ -525,7 +525,10 @@ class Local extends \OC\Files\Storage\Common { * @return bool */ public function copyFromStorage(IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime = false) { - if ($sourceStorage->instanceOfStorage(Local::class)) { + // Don't treat ACLStorageWrapper like local storage where copy can be done directly. + // Instead use the slower recursive copying in php from Common::copyFromStorage with + // more permissions checks. + if ($sourceStorage->instanceOfStorage(Local::class) && !$sourceStorage->instanceOfStorage('OCA\GroupFolders\ACL\ACLStorageWrapper')) { if ($sourceStorage->instanceOfStorage(Jail::class)) { /** * @var \OC\Files\Storage\Wrapper\Jail $sourceStorage |