diff options
author | friendica <info@friendica.com> | 2014-01-06 14:33:49 -0800 |
---|---|---|
committer | friendica <info@friendica.com> | 2014-01-06 14:33:49 -0800 |
commit | db0867aeec968402becd39b548f13c1e27c0368d (patch) | |
tree | 777ba2996f48232e0944b15144fc8ae475f438fe /include/reddav.php | |
parent | e20fef3903c8ec74a56fe17c59696268bbb25220 (diff) | |
download | volse-hubzilla-db0867aeec968402becd39b548f13c1e27c0368d.tar.gz volse-hubzilla-db0867aeec968402becd39b548f13c1e27c0368d.tar.bz2 volse-hubzilla-db0867aeec968402becd39b548f13c1e27c0368d.zip |
reddav: improve and cleanup permission checks
Diffstat (limited to 'include/reddav.php')
-rw-r--r-- | include/reddav.php | 138 |
1 files changed, 62 insertions, 76 deletions
diff --git a/include/reddav.php b/include/reddav.php index 17bca790d..543cdfeac 100644 --- a/include/reddav.php +++ b/include/reddav.php @@ -5,73 +5,6 @@ require_once('vendor/autoload.php'); require_once('include/attach.php'); -class RedInode implements DAV\INode { - - private $attach; - - function __construct($attach) { - $this->attach = $attach; - } - - - function delete() { - if(! perm_is_allowed($this->channel_id,'','view_storage')) - return; - - /** - * Since I don't believe this is documented elsewhere - - * ATTACH_FLAG_OS means that the file contents are stored in the OS - * rather than in the DB - as is the case for attachments. - * Exactly how they are stored (what path and filename) are still - * TBD. We will probably not be using the original filename but - * instead the attachment 'hash' as this will prevent folks from - * uploading PHP code onto misconfigured servers and executing it. - * It's easy to misconfigure servers because we can provide a - * rule for Apache, but folks using nginx will then be susceptible. - * Then there are those who don't understand these kinds of exploits - * and don't have any idea allowing uploaded PHP files to be executed - * by the server could be a problem. We also don't have any idea what - * executable types are served on their system - like .py, .pyc, .pl, .sh - * .cgi, .exe, .bat, .net, whatever. - */ - - if($this->attach['flags'] & ATTACH_FLAG_OS) { - // FIXME delete physical file - } - if($this->attach['flags'] & ATTACH_FLAG_DIR) { - // FIXME delete contents (recursive?) - } - - q("delete from attach where id = %d limit 1", - intval($this->attach['id']) - ); - - } - - function getName() { - return $this->attach['filename']; - } - - function setName($newName) { - - if((! $newName) || (! perm_is_allowed($this->channel_id,'','view_storage'))) - return; - - $this->attach['filename'] = $newName; - $r = q("update attach set filename = '%s' where id = %d limit 1", - dbesc($this->attach['filename']), - intval($this->attach['id']) - ); - - } - - function getLastModified() { - return $this->attach['edited']; - } - -} - - class RedDirectory extends DAV\Node implements DAV\ICollection { private $red_path; @@ -79,7 +12,7 @@ class RedDirectory extends DAV\Node implements DAV\ICollection { private $ext_path; private $root_dir = ''; private $auth; - + private $os_path = ''; function __construct($ext_path,&$auth_plugin) { logger('RedDirectory::__construct() ' . $ext_path); @@ -158,8 +91,6 @@ class RedDirectory extends DAV\Node implements DAV\ICollection { logger('RedDirectory::createFile : ' . $name); logger('RedDirectory::createFile : ' . print_r($this,true)); -// logger('createFile():' . stream_get_contents($data)); - if(! $this->auth->owner_id) { logger('createFile: permission denied'); @@ -324,6 +255,7 @@ class RedDirectory extends DAV\Node implements DAV\ICollection { $path = '/' . $channel_name; $folder = ''; + $os_path = ''; for($x = 1; $x < count($path_arr); $x ++) { @@ -336,10 +268,15 @@ class RedDirectory extends DAV\Node implements DAV\ICollection { if($r && ( $r[0]['flags'] & ATTACH_FLAG_DIR)) { $folder = $r[0]['hash']; + if(strlen($os_path)) + $os_path .= '/'; + $os_path .= $folder; + $path = $path . '/' . $r[0]['filename']; } } $this->folder_hash = $folder; + $this->os_path = $os_path; return; } @@ -394,7 +331,6 @@ class RedFile extends DAV\Node implements DAV\IFile { function put($data) { logger('RedFile::put: ' . basename($this->name)); -// logger('put():' . stream_get_contents($data)); $r = q("update attach set data = '%s' where hash = '%s' and uid = %d limit 1", dbesc(stream_get_contents($data)), @@ -471,6 +407,23 @@ class RedFile extends DAV\Node implements DAV\IFile { } + function delete() { + + if($this->data['flags'] & ATTACH_FLAG_OS) { + // FIXME delete physical file + } + if($this->data['flags'] & ATTACH_FLAG_DIR) { + // FIXME delete contents (recursive?) + } + +// q("delete from attach where id = %d limit 1", +// intval($this->data['id']) +// ); + + + + } + } function RedChannelList(&$auth) { @@ -507,7 +460,6 @@ logger('RedCollectionData: ' . $file); if((! $file) || ($file === '/')) { return RedChannelList($auth); - } $file = trim($file,'/'); @@ -528,25 +480,54 @@ logger('dbg1: ' . print_r($r,true)); return null; $channel_id = $r[0]['channel_id']; + $perms = permissions_sql($channel_id); + $auth->owner_id = $channel_id; $path = '/' . $channel_name; $folder = ''; + $errors = false; + $permission_error = false; for($x = 1; $x < count($path_arr); $x ++) { - $r = q("select id, hash, filename, flags from attach where folder = '%s' and filename = '%s' and (flags & %d)", + $r = q("select id, hash, filename, flags from attach where folder = '%s' and filename = '%s' and (flags & %d) $perms limit 1", dbesc($folder), dbesc($path_arr[$x]), intval(ATTACH_FLAG_DIR) ); + if(! $r) { + // path wasn't found. Try without permissions to see if it was the result of permissions. + $errors = true; + $r = q("select id, hash, filename, flags from attach where folder = '%s' and filename = '%s' and (flags & %d) limit 1", + dbesc($folder), + basename($path_arr[$x]), + intval(ATTACH_FLAG_DIR) + ); + if($r) { + $permission_error = true; + } + break; + } + if($r && ( $r[0]['flags'] & ATTACH_FLAG_DIR)) { $folder = $r[0]['hash']; $path = $path . '/' . $r[0]['filename']; } } -logger('dbg2: ' . print_r($r,true)); + if($errors) { + if($permission_error) { + throw new DAV\Exception\Forbidden('Permission denied.'); + return; + } + else { + throw new DAV\Exception\NotFound('A component of the request file path could not be found'); + return; + } + } + + logger('dbg2: ' . print_r($r,true)); if($path !== '/' . $file) { logger("RedCollectionData: Path mismatch: $path !== /$file"); @@ -555,8 +536,7 @@ logger('dbg2: ' . print_r($r,true)); $ret = array(); - - $r = q("select id, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited from attach where folder = '%s' and uid = %d group by filename", + $r = q("select id, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited from attach where folder = '%s' and uid = %d $perms group by filename", dbesc($folder), intval($channel_id) ); @@ -776,6 +756,12 @@ class RedBrowser extends DAV\Browser\Plugin { } + // The DAV browser is instantiated after the auth module and directory classes but before we know the current + // directory and who the owner and observer are. So we add a pointer to the browser into the auth module and vice + // versa. Then when we've figured out what directory is actually being accessed, we call the following function + // to decide whether or not to show web elements which include writeable objects. + + function set_writeable() { logger('RedBrowser: ' . print_r($this->auth,true)); |