diff options
| author | Vincent Petry <vincent@nextcloud.com> | 2021-10-22 10:56:40 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-22 10:56:40 +0300 |
| commit | e82157da9e982b85d4627f0e7ccf1c3ca7a7d7ac (patch) | |
| tree | fc2180cba6cd85ba258381b9cbee6dcf1b0f1ef7 /lib | |
| parent | 85de792b7410343d0156e91643b2de0321b9fd51 (diff) | |
| parent | bd6b9e2dd165fca84710ef9ae0b54b31f42f30e4 (diff) | |
Merge pull request #29366 from nextcloud/backport/29362/stable20
[stable20] Fix security issues when copying groupfolder with advanced ACL
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Files/Storage/Local.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php index 0ef58698623..1bfb9f611bb 100644 --- a/lib/private/Files/Storage/Local.php +++ b/lib/private/Files/Storage/Local.php @@ -525,7 +525,10 @@ class Local extends \OC\Files\Storage\Common { * @return bool */ public function copyFromStorage(IStorage $sourceStorage, $sourceInternalPath, $targetInternalPath, $preserveMtime = false) { - if ($sourceStorage->instanceOfStorage(Local::class)) { + // Don't treat ACLStorageWrapper like local storage where copy can be done directly. + // Instead use the slower recursive copying in php from Common::copyFromStorage with + // more permissions checks. + if ($sourceStorage->instanceOfStorage(Local::class) && !$sourceStorage->instanceOfStorage('OCA\GroupFolders\ACL\ACLStorageWrapper')) { if ($sourceStorage->instanceOfStorage(Jail::class)) { /** * @var \OC\Files\Storage\Wrapper\Jail $sourceStorage |