mirror of
https://github.com/owncloudarchive/contacts.git
synced 2025-01-29 18:52:18 +01:00
Contacts: Sanitize paths properly this time ;)
This commit is contained in:
Thomas Tanghus
parent
49c52afae1
commit
8fe237e90f
@ -36,6 +36,7 @@ $tmpfile = md5(rand());
|
||||
|
||||
// If it is a Drag'n'Drop transfer it's handled here.
|
||||
$fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false);
|
||||
$fn = strtr($fn, array('/' => '', "\\" => ''));
|
||||
if($fn) {
|
||||
if(OC\Files\Filesystem::isFileBlacklisted($fn)) {
|
||||
bailOut($l10n->t('Upload of blacklisted file:') . $fn);
|
||||
@ -73,11 +74,12 @@ if($error !== UPLOAD_ERR_OK) {
|
||||
$file=$_FILES['importfile'];
|
||||
|
||||
if(file_exists($file['tmp_name'])) {
|
||||
if(OC\Files\Filesystem::isFileBlacklisted($file['name'])) {
|
||||
bailOut($l10n->t('Upload of blacklisted file:') . $file['name']);
|
||||
$filename = strtr($file['name'], array('/' => '', "\\" => ''));
|
||||
if(OC\Files\Filesystem::isFileBlacklisted($filename)) {
|
||||
bailOut($l10n->t('Upload of blacklisted file:') . $filename);
|
||||
}
|
||||
if($view->file_put_contents('/imports/'.$file['name'], file_get_contents($file['tmp_name']))) {
|
||||
OCP\JSON::success(array('data' => array('file'=>$file['name'], 'name'=>$file['name'])));
|
||||
if($view->file_put_contents('/imports/'.$filename, file_get_contents($file['tmp_name']))) {
|
||||
OCP\JSON::success(array('data' => array('file'=>$filename, 'name'=>$filename)));
|
||||
} else {
|
||||
bailOut($l10n->t('Error uploading contacts to storage.'));
|
||||
}
|
||||
|
||||
29
import.php
29
import.php
@ -28,16 +28,17 @@ function writeProgress($pct) {
|
||||
OC_Cache::set($progresskey, $pct, 300);
|
||||
}
|
||||
writeProgress('10');
|
||||
$view = $file = null;
|
||||
if(OC\Files\Filesystem::isFileBlacklisted($_POST['file'])) {
|
||||
OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $_POST['file'])));
|
||||
$view = null;
|
||||
$inputfile = strtr($_POST['file'], array('/' => '', "\\" => ''));
|
||||
if(OC\Files\Filesystem::isFileBlacklisted($inputfile)) {
|
||||
OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $inputfile)));
|
||||
exit();
|
||||
}
|
||||
if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
|
||||
$view = OCP\Files::getStorage('contacts');
|
||||
$file = $view->file_get_contents('/imports/' . $_POST['file']);
|
||||
$file = $view->file_get_contents('/imports/' . $inputfile);
|
||||
} else {
|
||||
$file = \OC\Files\Filesystem::file_get_contents($_POST['path'] . '/' . $_POST['file']);
|
||||
$file = \OC\Files\Filesystem::file_get_contents($_POST['path'] . '/' . $inputfile);
|
||||
}
|
||||
if(!$file) {
|
||||
OCP\JSON::error(array('data' => array('message' => 'Import file was empty.')));
|
||||
@ -62,7 +63,7 @@ if(isset($_POST['method']) && $_POST['method'] == 'new') {
|
||||
array(
|
||||
'data' => array(
|
||||
'message' => 'Error getting the ID of the address book.',
|
||||
'file'=>OCP\Util::sanitizeHTML($_POST['file'])
|
||||
'file'=>OCP\Util::sanitizeHTML($inputfile)
|
||||
)
|
||||
)
|
||||
);
|
||||
@ -75,7 +76,7 @@ if(isset($_POST['method']) && $_POST['method'] == 'new') {
|
||||
array(
|
||||
'data' => array(
|
||||
'message' => $e->getMessage(),
|
||||
'file'=>OCP\Util::sanitizeHTML($_POST['file'])
|
||||
'file'=>OCP\Util::sanitizeHTML($inputfile)
|
||||
)
|
||||
)
|
||||
);
|
||||
@ -113,15 +114,15 @@ if(!count($parts) > 0) {
|
||||
array(
|
||||
'data' => array(
|
||||
'message' => 'No contacts to import in '
|
||||
. OCP\Util::sanitizeHTML($_POST['file']).'. Please check if the file is corrupted.',
|
||||
'file'=>OCP\Util::sanitizeHTML($_POST['file'])
|
||||
. OCP\Util::sanitizeHTML($inputfile).'. Please check if the file is corrupted.',
|
||||
'file'=>OCP\Util::sanitizeHTML($inputfile)
|
||||
)
|
||||
)
|
||||
);
|
||||
if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
|
||||
if(!$view->unlink('/imports/' . $_POST['file'])) {
|
||||
if(!$view->unlink('/imports/' . $inputfile)) {
|
||||
OCP\Util::writeLog('contacts',
|
||||
'Import: Error unlinking OC_FilesystemView ' . '/' . OCP\Util::sanitizeHTML($_POST['file']),
|
||||
'Import: Error unlinking OC_FilesystemView ' . '/' . OCP\Util::sanitizeHTML($inputfile),
|
||||
OCP\Util::ERROR);
|
||||
}
|
||||
}
|
||||
@ -160,9 +161,9 @@ writeProgress('100');
|
||||
sleep(3);
|
||||
OC_Cache::remove($progresskey);
|
||||
if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
|
||||
if(!$view->unlink('/imports/' . $_POST['file'])) {
|
||||
if(!$view->unlink('/imports/' . $inputfile)) {
|
||||
OCP\Util::writeLog('contacts',
|
||||
'Import: Error unlinking OC_FilesystemView ' . '/' . $_POST['file'],
|
||||
'Import: Error unlinking OC_FilesystemView ' . '/' . $inputfile,
|
||||
OCP\Util::ERROR);
|
||||
}
|
||||
}
|
||||
@ -171,7 +172,7 @@ OCP\JSON::success(
|
||||
'data' => array(
|
||||
'imported'=>$imported,
|
||||
'failed'=>$failed,
|
||||
'file'=>OCP\Util::sanitizeHTML($_POST['file']),
|
||||
'file'=>OCP\Util::sanitizeHTML($inputfile),
|
||||
)
|
||||
)
|
||||
);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user