From e50f13d46b285c4f74b13d4ad9107cedf23311f2 Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Tue, 17 Mar 2015 18:16:28 +0100 Subject: [PATCH 1/2] Add positive test for path verification --- tests/lib/files/pathverificationtest.php | 26 ++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/lib/files/pathverificationtest.php b/tests/lib/files/pathverificationtest.php index 5d38c6291a6..65342c7799e 100644 --- a/tests/lib/files/pathverificationtest.php +++ b/tests/lib/files/pathverificationtest.php @@ -230,4 +230,30 @@ class PathVerification extends \Test\TestCase { ]; } + /** + * @dataProvider providesValidPosixPaths + */ + public function testPathVerificationValidPaths($fileName) { + $storage = new Local(['datadir' => '']); + + \Test_Helper::invokePrivate($storage, 'verifyPosixPath', [$fileName]); + \Test_Helper::invokePrivate($storage, 'verifyWindowsPath', [$fileName]); + // nothing thrown + $this->assertTrue(true); + } + + public function providesValidPosixPaths() { + return [ + ['simple'], + ['simple.txt'], + ['\''], + ['`'], + ['%'], + ['()'], + ['[]'], + ['!'], + ['$'], + ['_'], + ]; + } } From f13216d275fc59d448e91aab5e817bff5627d3d9 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 17 Mar 2015 21:56:16 +0100 Subject: [PATCH 2/2] Use `FILTER_UNSAFE_RAW` instead of `FILTER_SANITIZE_STRING` `FILTER_SANITIZE_STRING` will still encode everything else. --- lib/private/files/storage/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/private/files/storage/common.php b/lib/private/files/storage/common.php index 031a2f1cb7a..5de243e177a 100644 --- a/lib/private/files/storage/common.php +++ b/lib/private/files/storage/common.php @@ -512,7 +512,7 @@ abstract class Common implements \OC\Files\Storage\Storage { } } - $sanitizedFileName = filter_var($fileName, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); + $sanitizedFileName = filter_var($fileName, FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW); if($sanitizedFileName !== $fileName) { throw new InvalidCharacterInPathException(); }