sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Sanitize length headers when validating quota

pull/1821/head
Thomas Müller 2016-10-13 12:59:10 +07:00 committed by Morris Jobke
parent 5d7e9bb8fc
commit 08d6884107
No known key found for this signature in database
GPG Key ID: 9CE5ED29E7FCD38A
2 changed files with 25 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
apps/dav/lib/Connector/Sabre/QuotaPlugin.php
Unescape Escape View File

@ -25,6 +25,11 @@
* *
*/ */
namespace OCA\DAV\Connector\Sabre; namespace OCA\DAV\Connector\Sabre;
use OCP\Files\FileInfo;
use OCP\Files\StorageNotAvailableException;
use Sabre\DAV\Exception\InsufficientStorage;
use Sabre\DAV\Exception\ServiceUnavailable;
use Sabre\HTTP\URLUtil;
/** /**
* This plugin check user quota and deny creating files when they exceeds the quota. * This plugin check user quota and deny creating files when they exceeds the quota.
@ -77,17 +82,16 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
* This method is called before any HTTP method and validates there is enough free space to store the file * This method is called before any HTTP method and validates there is enough free space to store the file
* *
* @param string $uri * @param string $uri
* @param null $data * @throws InsufficientStorage
* @throws \Sabre\DAV\Exception\InsufficientStorage
* @return bool * @return bool
*/ */
public function checkQuota($uri, $data = null) { public function checkQuota($uri) {
$length = $this->getLength(); $length = $this->getLength();
if ($length) { if ($length) {
if (substr($uri, 0, 1) !== '/') { if (substr($uri, 0, 1) !== '/') {
$uri = '/' . $uri; $uri = '/' . $uri;
} }
list($parentUri, $newName) = \Sabre\HTTP\URLUtil::splitPath($uri); list($parentUri, $newName) = URLUtil::splitPath($uri);
if(is_null($parentUri)) { if(is_null($parentUri)) {
$parentUri = ''; $parentUri = '';
} }
@ -102,11 +106,11 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
$uri = rtrim($parentUri, '/') . '/' . $info['name']; $uri = rtrim($parentUri, '/') . '/' . $info['name'];
} }
$freeSpace = $this->getFreeSpace($uri); $freeSpace = $this->getFreeSpace($uri);
if ($freeSpace !== \OCP\Files\FileInfo::SPACE_UNKNOWN && $length > $freeSpace) { if ($freeSpace !== FileInfo::SPACE_UNKNOWN && $length > $freeSpace) {
if (isset($chunkHandler)) { if (isset($chunkHandler)) {
$chunkHandler->cleanup(); $chunkHandler->cleanup();
} }
throw new \Sabre\DAV\Exception\InsufficientStorage(); throw new InsufficientStorage();
} }
} }
return true; return true;
@ -136,13 +140,14 @@ class QuotaPlugin extends \Sabre\DAV\ServerPlugin {
/** /**
* @param string $uri * @param string $uri
* @return mixed * @return mixed
* @throws ServiceUnavailable
*/ */
public function getFreeSpace($uri) { public function getFreeSpace($uri) {
try { try {
$freeSpace = $this->view->free_space(ltrim($uri, '/')); $freeSpace = $this->view->free_space(ltrim($uri, '/'));
return $freeSpace; return $freeSpace;
} catch (\OCP\Files\StorageNotAvailableException $e) { } catch (StorageNotAvailableException $e) {
throw new \Sabre\DAV\Exception\ServiceUnavailable($e->getMessage()); throw new ServiceUnavailable($e->getMessage());
} }
} }
} }

26
apps/dav/tests/unit/Connector/Sabre/QuotaPluginTest.php
Unescape Escape View File

@ -24,22 +24,20 @@
* *
*/ */
namespace OCA\DAV\Tests\unit\Connector\Sabre; namespace OCA\DAV\Tests\unit\Connector\Sabre;
use Test\TestCase;
/** /**
* Copyright (c) 2013 Thomas Müller <thomas.mueller@tmit.eu> * Copyright (c) 2013 Thomas Müller <thomas.mueller@tmit.eu>
* This file is licensed under the Affero General Public License version 3 or * This file is licensed under the Affero General Public License version 3 or
* later. * later.
* See the COPYING-README file. * See the COPYING-README file.
*/ */
class QuotaPluginTest extends \Test\TestCase { class QuotaPluginTest extends TestCase {
/** /** @var \Sabre\DAV\Server | \PHPUnit_Framework_MockObject_MockObject */
* @var \Sabre\DAV\Server
*/
private $server; private $server;
/** /** @var \OCA\DAV\Connector\Sabre\QuotaPlugin | \PHPUnit_Framework_MockObject_MockObject */
* @var \OCA\DAV\Connector\Sabre\QuotaPlugin
*/
private $plugin; private $plugin;
private function init($quota, $checkedPath = '') { private function init($quota, $checkedPath = '') {
@ -126,19 +124,19 @@ class QuotaPluginTest extends \Test\TestCase {
} }
public function lengthProvider() { public function lengthProvider() {
return array( return [
array(null, array()), [null, []],
array(1024, array('X-EXPECTED-ENTITY-LENGTH' => '1024')), [1024, ['X-EXPECTED-ENTITY-LENGTH' => '1024']],
array(512, array('CONTENT-LENGTH' => '512')), [512, ['CONTENT-LENGTH' => '512']],
array(2048, array('OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => '1024')), [2048, ['OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => '1024']],
array(4096, array('OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => '4096')), [4096, ['OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => '4096']],
[null, ['X-EXPECTED-ENTITY-LENGTH' => 'A']], [null, ['X-EXPECTED-ENTITY-LENGTH' => 'A']],
[null, ['CONTENT-LENGTH' => 'A']], [null, ['CONTENT-LENGTH' => 'A']],
[1024, ['OC-TOTAL-LENGTH' => 'A', 'CONTENT-LENGTH' => '1024']], [1024, ['OC-TOTAL-LENGTH' => 'A', 'CONTENT-LENGTH' => '1024']],
[1024, ['OC-TOTAL-LENGTH' => 'A', 'X-EXPECTED-ENTITY-LENGTH' => '1024']], [1024, ['OC-TOTAL-LENGTH' => 'A', 'X-EXPECTED-ENTITY-LENGTH' => '1024']],
[null, ['OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => 'A']], [null, ['OC-TOTAL-LENGTH' => '2048', 'X-EXPECTED-ENTITY-LENGTH' => 'A']],
[null, ['OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => 'A']], [null, ['OC-TOTAL-LENGTH' => '2048', 'CONTENT-LENGTH' => 'A']],
); ];
} }
public function quotaChunkedOkProvider() { public function quotaChunkedOkProvider() {