From 620878033270b0cb987f419aa6df16cc4f626f06 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Tue, 25 Jun 2013 17:04:25 +0200 Subject: [PATCH] Sabre: throw exceptions when delete/create/write operations are not permitted --- lib/connector/sabre/directory.php | 15 +++++++++++++++ lib/connector/sabre/file.php | 15 ++++++++++++--- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/lib/connector/sabre/directory.php b/lib/connector/sabre/directory.php index 6ccb54b79abe..3d15a2a584d4 100644 --- a/lib/connector/sabre/directory.php +++ b/lib/connector/sabre/directory.php @@ -45,9 +45,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa * * @param string $name Name of the file * @param resource|string $data Initial payload + * @throws Sabre_DAV_Exception_Forbidden * @return null|string */ public function createFile($name, $data = null) { + + if (!\OC\Files\Filesystem::isCreatable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } + if (isset($_SERVER['HTTP_OC_CHUNKED'])) { $info = OC_FileChunking::decodeName($name); if (empty($info)) { @@ -102,10 +108,15 @@ public function createFile($name, $data = null) { * Creates a new subdirectory * * @param string $name + * @throws Sabre_DAV_Exception_Forbidden * @return void */ public function createDirectory($name) { + if (!\OC\Files\Filesystem::isCreatable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } + $newPath = $this->path . '/' . $name; if(!\OC\Files\Filesystem::mkdir($newPath)) { throw new Sabre_DAV_Exception_Forbidden('Could not create directory '.$newPath); @@ -203,9 +214,13 @@ public function childExists($name) { * Deletes all files in this directory, and then itself * * @return void + * @throws Sabre_DAV_Exception_Forbidden */ public function delete() { + if (!\OC\Files\Filesystem::isDeletable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } if ($this->path != "/Shared") { foreach($this->getChildren() as $child) $child->delete(); \OC\Files\Filesystem::rmdir($this->path); diff --git a/lib/connector/sabre/file.php b/lib/connector/sabre/file.php index 91646312e901..438d9871c228 100644 --- a/lib/connector/sabre/file.php +++ b/lib/connector/sabre/file.php @@ -41,24 +41,29 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D * return an ETag, and just return null. * * @param resource $data + * @throws Sabre_DAV_Exception_Forbidden * @return string|null */ public function put($data) { + if (!\OC\Files\Filesystem::isUpdatable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } + // mark file as partial while uploading (ignored by the scanner) $partpath = $this->path . '.part'; \OC\Files\Filesystem::file_put_contents($partpath, $data); //detect aborted upload - if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT' ) { + if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT') { if (isset($_SERVER['CONTENT_LENGTH'])) { $expected = $_SERVER['CONTENT_LENGTH']; $actual = \OC\Files\Filesystem::filesize($partpath); if ($actual != $expected) { \OC\Files\Filesystem::unlink($partpath); throw new Sabre_DAV_Exception_BadRequest( - 'expected filesize ' . $expected . ' got ' . $actual); + 'expected filesize ' . $expected . ' got ' . $actual); } } } @@ -69,7 +74,7 @@ public function put($data) { //allow sync clients to send the mtime along in a header $mtime = OC_Request::hasModificationTime(); if ($mtime !== false) { - if(\OC\Files\Filesystem::touch($this->path, $mtime)) { + if (\OC\Files\Filesystem::touch($this->path, $mtime)) { header('X-OC-MTime: accepted'); } } @@ -92,9 +97,13 @@ public function get() { * Delete the current file * * @return void + * @throws Sabre_DAV_Exception_Forbidden */ public function delete() { + if (!\OC\Files\Filesystem::isDeletable($this->path)) { + throw new \Sabre_DAV_Exception_Forbidden(); + } \OC\Files\Filesystem::unlink($this->path); }