From f700abc889f62abd112a348798fd8786629eb809 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 25 Nov 2021 08:48:26 +0100 Subject: [PATCH 1/3] Check for invalid characters before trimming Signed-off-by: Joas Schilling --- lib/private/Files/Storage/Common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/private/Files/Storage/Common.php b/lib/private/Files/Storage/Common.php index 40af5dfae5193..92ad0962dbc25 100644 --- a/lib/private/Files/Storage/Common.php +++ b/lib/private/Files/Storage/Common.php @@ -554,8 +554,8 @@ public function verifyPath($path, $fileName) { * @throws InvalidPathException */ protected function verifyPosixPath($fileName) { - $fileName = trim($fileName); $this->scanForInvalidCharacters($fileName, "\\/"); + $fileName = trim($fileName); $reservedNames = ['*']; if (in_array($fileName, $reservedNames)) { throw new ReservedWordException(); From 933a967896d24f0755c563a111eb1301b04ae5d4 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 25 Nov 2021 09:07:34 +0100 Subject: [PATCH 2/3] Add an integration test Signed-off-by: Joas Schilling --- build/integration/features/webdav-related.feature | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/build/integration/features/webdav-related.feature b/build/integration/features/webdav-related.feature index 66652e6fa26e8..b6d7b431e2089 100644 --- a/build/integration/features/webdav-related.feature +++ b/build/integration/features/webdav-related.feature @@ -608,3 +608,12 @@ Feature: webdav-related And user "user0" uploads new chunk file "3" with "CCCCC" to id "chunking-42" When user "user0" moves new chunk file with id "chunking-42" to "/myChunkedFile.txt" with size 15 Then the HTTP status code should be "201" + + Scenario: Creating a folder with invalid characters + Given using new dav path + And As an "admin" + And user "user0" exists + And user "user1" exists + And As an "user1" + And user "user1" created a folder "/testshare " + Then the HTTP status code should be "400" From 9cc47c5e1f5747c29a55f9c1d5dd246d7b9d32a6 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Thu, 25 Nov 2021 09:07:46 +0100 Subject: [PATCH 3/3] Correctly set the response after a ClientException as well Signed-off-by: Joas Schilling --- .../integration/features/bootstrap/WebDav.php | 28 +++++++++++++++---- 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/build/integration/features/bootstrap/WebDav.php b/build/integration/features/bootstrap/WebDav.php index de277b2278d01..2d90d201b3075 100644 --- a/build/integration/features/bootstrap/WebDav.php +++ b/build/integration/features/bootstrap/WebDav.php @@ -459,7 +459,10 @@ public function userUploadsAFileTo($user, $source, $destination) { try { $this->response = $this->makeDavRequest($user, "PUT", $destination, [], $file); } catch (\GuzzleHttp\Exception\ServerException $e) { - // 4xx and 5xx responses cause an exception + // 5xx responses cause a server exception + $this->response = $e->getResponse(); + } catch (\GuzzleHttp\Exception\ClientException $e) { + // 4xx responses cause a client exception $this->response = $e->getResponse(); } } @@ -488,7 +491,10 @@ public function userUploadsAFileWithContentTo($user, $content, $destination) { try { $this->response = $this->makeDavRequest($user, "PUT", $destination, [], $file); } catch (\GuzzleHttp\Exception\ServerException $e) { - // 4xx and 5xx responses cause an exception + // 5xx responses cause a server exception + $this->response = $e->getResponse(); + } catch (\GuzzleHttp\Exception\ClientException $e) { + // 4xx responses cause a client exception $this->response = $e->getResponse(); } } @@ -503,7 +509,10 @@ public function userDeletesFile($user, $type, $file) { try { $this->response = $this->makeDavRequest($user, 'DELETE', $file, []); } catch (\GuzzleHttp\Exception\ServerException $e) { - // 4xx and 5xx responses cause an exception + // 5xx responses cause a server exception + $this->response = $e->getResponse(); + } catch (\GuzzleHttp\Exception\ClientException $e) { + // 4xx responses cause a client exception $this->response = $e->getResponse(); } } @@ -518,7 +527,10 @@ public function userCreatedAFolder($user, $destination) { $destination = '/' . ltrim($destination, '/'); $this->response = $this->makeDavRequest($user, "MKCOL", $destination, []); } catch (\GuzzleHttp\Exception\ServerException $e) { - // 4xx and 5xx responses cause an exception + // 5xx responses cause a server exception + $this->response = $e->getResponse(); + } catch (\GuzzleHttp\Exception\ClientException $e) { + // 4xx responses cause a client exception $this->response = $e->getResponse(); } } @@ -589,8 +601,12 @@ public function userMovesNewChunkFileWithIdToMychunkedfileWithSize($user, $id, $ public function downloadingFileAs($fileName, $user) { try { $this->response = $this->makeDavRequest($user, 'GET', $fileName, []); - } catch (\GuzzleHttp\Exception\ServerException $ex) { - $this->response = $ex->getResponse(); + } catch (\GuzzleHttp\Exception\ServerException $e) { + // 5xx responses cause a server exception + $this->response = $e->getResponse(); + } catch (\GuzzleHttp\Exception\ClientException $e) { + // 4xx responses cause a client exception + $this->response = $e->getResponse(); } }