rooty/OwncloudContactsOfficial
1
0
Fork 0
mirror of https://github.com/owncloudarchive/contacts.git synced 2025-01-30 19:52:17 +01:00
Code Issues Releases Activity

Contacts: Sanitize paths properly this time ;)

Browse Source
This commit is contained in:
Thomas Tanghus 2013-03-09 16:30:09 +01:00
parent 49c52afae1
commit 8fe237e90f
2 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ajax/uploadimport.php
View File

@ -36,6 +36,7 @@ $tmpfile = md5(rand());
// If it is a Drag'n'Drop transfer it's handled here. // If it is a Drag'n'Drop transfer it's handled here.
$fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false); $fn = (isset($_SERVER['HTTP_X_FILE_NAME']) ? $_SERVER['HTTP_X_FILE_NAME'] : false);
$fn = strtr($fn, array('/' => '', "\\" => ''));
if($fn) { if($fn) {
if(OC\Files\Filesystem::isFileBlacklisted($fn)) { if(OC\Files\Filesystem::isFileBlacklisted($fn)) {
bailOut($l10n->t('Upload of blacklisted file:') . $fn); bailOut($l10n->t('Upload of blacklisted file:') . $fn);
@ -73,11 +74,12 @@ if($error !== UPLOAD_ERR_OK) {
$file=$_FILES['importfile']; $file=$_FILES['importfile'];
if(file_exists($file['tmp_name'])) { if(file_exists($file['tmp_name'])) {
if(OC\Files\Filesystem::isFileBlacklisted($file['name'])) { $filename = strtr($file['name'], array('/' => '', "\\" => ''));
bailOut($l10n->t('Upload of blacklisted file:') . $file['name']); if(OC\Files\Filesystem::isFileBlacklisted($filename)) {
bailOut($l10n->t('Upload of blacklisted file:') . $filename);
} }
if($view->file_put_contents('/imports/'.$file['name'], file_get_contents($file['tmp_name']))) { if($view->file_put_contents('/imports/'.$filename, file_get_contents($file['tmp_name']))) {
OCP\JSON::success(array('data' => array('file'=>$file['name'], 'name'=>$file['name']))); OCP\JSON::success(array('data' => array('file'=>$filename, 'name'=>$filename)));
} else { } else {
bailOut($l10n->t('Error uploading contacts to storage.')); bailOut($l10n->t('Error uploading contacts to storage.'));
} }

29
import.php
View File

@ -28,16 +28,17 @@ function writeProgress($pct) {
OC_Cache::set($progresskey, $pct, 300); OC_Cache::set($progresskey, $pct, 300);
} }
writeProgress('10'); writeProgress('10');
$view = $file = null; $view = null;
if(OC\Files\Filesystem::isFileBlacklisted($_POST['file'])) { $inputfile = strtr($_POST['file'], array('/' => '', "\\" => ''));
OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $_POST['file']))); if(OC\Files\Filesystem::isFileBlacklisted($inputfile)) {
OCP\JSON::error(array('data' => array('message' => 'Upload of blacklisted file: ' . $inputfile)));
exit(); exit();
} }
if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') { if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
$view = OCP\Files::getStorage('contacts'); $view = OCP\Files::getStorage('contacts');
$file = $view->file_get_contents('/imports/' . $_POST['file']); $file = $view->file_get_contents('/imports/' . $inputfile);
} else { } else {
$file = \OC\Files\Filesystem::file_get_contents($_POST['path'] . '/' . $_POST['file']); $file = \OC\Files\Filesystem::file_get_contents($_POST['path'] . '/' . $inputfile);
} }
if(!$file) { if(!$file) {
OCP\JSON::error(array('data' => array('message' => 'Import file was empty.'))); OCP\JSON::error(array('data' => array('message' => 'Import file was empty.')));
@ -62,7 +63,7 @@ if(isset($_POST['method']) && $_POST['method'] == 'new') {
array( array(
'data' => array( 'data' => array(
'message' => 'Error getting the ID of the address book.', 'message' => 'Error getting the ID of the address book.',
'file'=>OCP\Util::sanitizeHTML($_POST['file']) 'file'=>OCP\Util::sanitizeHTML($inputfile)
) )
) )
); );
@ -75,7 +76,7 @@ if(isset($_POST['method']) && $_POST['method'] == 'new') {
array( array(
'data' => array( 'data' => array(
'message' => $e->getMessage(), 'message' => $e->getMessage(),
'file'=>OCP\Util::sanitizeHTML($_POST['file']) 'file'=>OCP\Util::sanitizeHTML($inputfile)
) )
) )
); );
@ -113,15 +114,15 @@ if(!count($parts) > 0) {
array( array(
'data' => array( 'data' => array(
'message' => 'No contacts to import in ' 'message' => 'No contacts to import in '
. OCP\Util::sanitizeHTML($_POST['file']).'. Please check if the file is corrupted.', . OCP\Util::sanitizeHTML($inputfile).'. Please check if the file is corrupted.',
'file'=>OCP\Util::sanitizeHTML($_POST['file']) 'file'=>OCP\Util::sanitizeHTML($inputfile)
) )
) )
); );
if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') { if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
if(!$view->unlink('/imports/' . $_POST['file'])) { if(!$view->unlink('/imports/' . $inputfile)) {
OCP\Util::writeLog('contacts', OCP\Util::writeLog('contacts',
'Import: Error unlinking OC_FilesystemView ' . '/' . OCP\Util::sanitizeHTML($_POST['file']), 'Import: Error unlinking OC_FilesystemView ' . '/' . OCP\Util::sanitizeHTML($inputfile),
OCP\Util::ERROR); OCP\Util::ERROR);
} }
} }
@ -160,9 +161,9 @@ writeProgress('100');
sleep(3); sleep(3);
OC_Cache::remove($progresskey); OC_Cache::remove($progresskey);
if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') { if(isset($_POST['fstype']) && $_POST['fstype'] == 'OC_FilesystemView') {
if(!$view->unlink('/imports/' . $_POST['file'])) { if(!$view->unlink('/imports/' . $inputfile)) {
OCP\Util::writeLog('contacts', OCP\Util::writeLog('contacts',
'Import: Error unlinking OC_FilesystemView ' . '/' . $_POST['file'], 'Import: Error unlinking OC_FilesystemView ' . '/' . $inputfile,
OCP\Util::ERROR); OCP\Util::ERROR);
} }
} }
@ -171,7 +172,7 @@ OCP\JSON::success(
'data' => array( 'data' => array(
'imported'=>$imported, 'imported'=>$imported,
'failed'=>$failed, 'failed'=>$failed,
'file'=>OCP\Util::sanitizeHTML($_POST['file']), 'file'=>OCP\Util::sanitizeHTML($inputfile),
) )
) )
); );