fix users being to able to read files outside the datadir

14 years ago · 23d006fc25
parent 69ab810005
commit 23d006fc25
2 changed files with 33 additions and 12 deletions
--- a/inc/lib_files.php
+++ b/inc/lib_files.php
@ -130,19 +130,28 @@ class OC_FILES {
 			$zip=false;
 			$filename=$dir.'/'.$files;
 		}
-		header('Content-Disposition: attachment; filename='.basename($filename));
-		header('Content-Transfer-Encoding: binary');
-		header('Expires: 0');
-		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
-		header('Pragma: public');
-		header('Content-Length: ' . filesize($filename));
-		if(!$zip){
-			$filename=OC_FILESYSTEM::toTmpFile($filename);
+		if($zip or OC_FILESYSTEM::is_readable($filename)){
+			header('Content-Disposition: attachment; filename='.basename($filename));
+			header('Content-Transfer-Encoding: binary');
+			header('Expires: 0');
+			header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+			header('Pragma: public');
+			header('Content-Length: ' . filesize($filename));
+		}elseif($zip or !OC_FILESYSTEM::file_exists($filename)){
+			header("HTTP/1.0 404 Not Found");
+			die('404 Not Found');
+		}else{
+			header("HTTP/1.0 403 Forbidden");
+			die('403 Forbidden');
 		}
 		ob_end_clean();
 		OC_LOG::event($_SESSION['username'],3,"$dir/$files");
-		readfile($filename);
-		unlink($filename);
+		if($zip){
+			readfile($filename);
+			unlink($filename);
+		}else{
+			OC_FILESYSTEM::readfile($filename);
+		}
 		foreach(self::$tmpFiles as $tmpFile){
 			if(file_exists($tmpFile) and is_file($tmpFile)){
 				unlink($tmpFile);
--- a/inc/lib_filesystem.php
+++ b/inc/lib_filesystem.php
@ -34,7 +34,13 @@ class OC_FILESYSTEM{
 	* @param  string  path
 	* @return bool
 	*/
-	static private function canRead(){
+	static private function canRead($path){
+		if(substr($path,0,1)!=='/'){
+			$path='/'.$path;
+		}
+		if(strstr($path,'/../')){
+			return false;
+		}
 		return true;//dummy untill premissions are correctly implemented, also the correcty value because for now users are locked in their seperate data dir and can read/write everything in there
 	}
 	/**
@ -42,7 +48,13 @@ class OC_FILESYSTEM{
 	* @param  string  path
 	* @return bool
 	*/
-	static private function canWrite(){
+	static private function canWrite($path){
+		if(substr($path,0,1)!=='/'){
+			$path='/'.$path;
+		}
+		if(strstr($path,'/../')){
+			return false;
+		}
 		return true;//dummy untill premissions are correctly implemented, also the correcty value because for now users are locked in their seperate data dir and can read/write everything in there
 	}