Hi,
attached is a patch for OwnCloud 4.5.5.
The patch adds a check for /././. paths in function isValidPath in
lib/filesystem.php
Without this check, it is possible to create "." directories by calling
https://localhost/?app=files&dir=/.
This, itself, may not be a problem, but deleting this "." directories
removes all files and directories in the current directory.
If you have any questions please respond directly.
Thank you,
Martin Kluge
--- filesystem.php.orig 2013-01-22 13:00:01.000000000 +0100
+++ filesystem.php 2013-01-22 12:51:09.000000000 +0100
@@ -403,6 +403,11 @@
if(strstr($path,'/../') || strrchr($path, '/') === '/..' ) {
return false;
}
+ // Fix for /././.-paths
+ if(strstr($path,'/./') || strrchr($path, '/') === '/.' ) {
+ return false;
+ }
+ // End Fix
if(self::isFileBlacklisted($path)){
return false;
}
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
