From 4637fd77683be1058bb92fc2e68c63a5a262854d Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Wed, 27 Jun 2018 22:46:31 +0200 Subject: [PATCH] Do not allow RTLO char in filenames Signed-off-by: Roeland Jago Douma --- lib/private/Files/Storage/Common.php | 5 +++++ tests/lib/Files/PathVerificationTest.php | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/lib/private/Files/Storage/Common.php b/lib/private/Files/Storage/Common.php index b6c82f3a1dfb9..0185069554f28 100644 --- a/lib/private/Files/Storage/Common.php +++ b/lib/private/Files/Storage/Common.php @@ -531,6 +531,11 @@ public function verifyPath($path, $fileName) { } } + // Do not allow RTLO char + if (mb_strpos($fileName, mb_chr(8238, 'utf8')) !== false) { + throw new InvalidCharacterInPathException('RTLO not allowed'); + } + if (isset($fileName[255])) { throw new FileNameTooLongException(); } diff --git a/tests/lib/Files/PathVerificationTest.php b/tests/lib/Files/PathVerificationTest.php index 7e0b7dd265071..81054823817e6 100644 --- a/tests/lib/Files/PathVerificationTest.php +++ b/tests/lib/Files/PathVerificationTest.php @@ -105,6 +105,23 @@ public function providesAstralPlane() { ]; } + + /** + * @dataProvider providesInvalidUnicode + */ + public function testPathVerificationInvalidUnicode(string $fileName) { + $this->expectException(InvalidPathException::class); + $this->expectExceptionMessage('File name contains at least one invalid character'); + + $this->view->verifyPath('', $fileName); + } + + public function providesInvalidUnicode() { + return [ + ['foo' . mb_chr(8238, 'utf8') . 'txt.html'], //RTLO + ]; + } + /** * @dataProvider providesInvalidCharsPosix * @expectedException \OCP\Files\InvalidCharacterInPathException