From 5f07fb15dccb40339c326c0294f4d73a1d6e77b6 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Nov 2014 14:47:48 +0100 Subject: [PATCH 1/3] Fix case-sensitivity --- apps/files_sharing/public.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/files_sharing/public.php b/apps/files_sharing/public.php index d9b8f0f4f303..d9d14f67c336 100644 --- a/apps/files_sharing/public.php +++ b/apps/files_sharing/public.php @@ -12,6 +12,6 @@ $urlGenerator = new \OC\URLGenerator(\OC::$server->getConfig()); $token = isset($_GET['t']) ? $_GET['t'] : ''; -$route = isset($_GET['download']) ? 'files_sharing.sharecontroller.downloadshare' : 'files_sharing.sharecontroller.showshare'; +$route = isset($_GET['download']) ? 'files_sharing.sharecontroller.downloadShare' : 'files_sharing.sharecontroller.showShare'; OC_Response::redirect($urlGenerator->linkToRoute($route, array('token' => $token))); From f3ab4f3faf9c6f07c14cba406188d56a1e81b676 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Nov 2014 14:54:08 +0100 Subject: [PATCH 2/3] Don't disclose relative directory path for single shared files of user The "dir" key is used within the public sharing template to indicate in which directory the user currently is when sharing a directory with subdirectories. This is needed by the JS scripts. However, when not accessing a directory then "dir" was set to the relative path of the file (from the user's home directory), meaning that for every public shared file the sharee can see the path. (For example if you share the file "foo.txt" from "finances/topsecret/" the sharee would still see the path "finances/topsecret/" from the shared HTML template) This is not the excpected behaviour and can be considered a privacy problem, this patch addresses this by setting "dir" to an empty key. --- apps/files_sharing/lib/controllers/sharecontroller.php | 2 +- apps/files_sharing/tests/controller/sharecontroller.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/files_sharing/lib/controllers/sharecontroller.php b/apps/files_sharing/lib/controllers/sharecontroller.php index e5fd0f401c25..da0761837d84 100644 --- a/apps/files_sharing/lib/controllers/sharecontroller.php +++ b/apps/files_sharing/lib/controllers/sharecontroller.php @@ -172,7 +172,7 @@ public function showShare($token, $path = '') { $shareTmpl['sharingToken'] = $token; $shareTmpl['server2serversharing'] = Helper::isOutgoingServer2serverShareEnabled(); $shareTmpl['protected'] = isset($linkItem['share_with']) ? 'true' : 'false'; - $shareTmpl['dir'] = $dir; + $shareTmpl['dir'] = ''; $shareTmpl['fileSize'] = \OCP\Util::humanFileSize(\OC\Files\Filesystem::filesize($originalSharePath)); // Show file list diff --git a/apps/files_sharing/tests/controller/sharecontroller.php b/apps/files_sharing/tests/controller/sharecontroller.php index 8dcb24755640..f13e5b2e4974 100644 --- a/apps/files_sharing/tests/controller/sharecontroller.php +++ b/apps/files_sharing/tests/controller/sharecontroller.php @@ -153,7 +153,7 @@ public function testShowShare() { 'sharingToken' => $this->token, 'server2serversharing' => true, 'protected' => 'true', - 'dir' => '/', + 'dir' => '', 'downloadURL' => null, 'fileSize' => '33 B' ); From a6ebb176102fcb157c529685cbaeb358950a054a Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 18 Nov 2014 16:45:55 +0100 Subject: [PATCH 3/3] Remove unused variable and make Scrutinizer happy. --- apps/files_sharing/lib/controllers/sharecontroller.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/apps/files_sharing/lib/controllers/sharecontroller.php b/apps/files_sharing/lib/controllers/sharecontroller.php index da0761837d84..8a1926919421 100644 --- a/apps/files_sharing/lib/controllers/sharecontroller.php +++ b/apps/files_sharing/lib/controllers/sharecontroller.php @@ -23,7 +23,6 @@ use OCP\IRequest; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Http\RedirectResponse; -use OCP\AppFramework\IApi; use OC\URLGenerator; use OC\AppConfig; use OCP\ILogger; @@ -160,7 +159,6 @@ public function showShare($token, $path = '') { $originalSharePath .= $path; } - $dir = dirname($originalSharePath); $file = basename($originalSharePath); $shareTmpl = array();