From 230d2a1ef422acbecd1865886a45cfef53e5dcca Mon Sep 17 00:00:00 2001 From: jkoberg Date: Mon, 30 Oct 2023 15:30:25 +0100 Subject: [PATCH 1/2] check the filenamelength properly Signed-off-by: jkoberg --- changelog/unreleased/fix-filename-length-check.md | 5 +++++ internal/http/services/owncloud/ocdav/copy.go | 4 ++-- internal/http/services/owncloud/ocdav/mkcol.go | 2 +- internal/http/services/owncloud/ocdav/move.go | 4 ++-- internal/http/services/owncloud/ocdav/put.go | 3 +-- internal/http/services/owncloud/ocdav/tus.go | 4 ++-- 6 files changed, 13 insertions(+), 9 deletions(-) create mode 100644 changelog/unreleased/fix-filename-length-check.md diff --git a/changelog/unreleased/fix-filename-length-check.md b/changelog/unreleased/fix-filename-length-check.md new file mode 100644 index 0000000000..0692a293ad --- /dev/null +++ b/changelog/unreleased/fix-filename-length-check.md @@ -0,0 +1,5 @@ +Bugfix: Fix checking of filename length + +Instead of checking for length of the filename the ocs handler would sometimes check for complete file path. + +https://github.com/cs3org/reva/pull/4302 diff --git a/internal/http/services/owncloud/ocdav/copy.go b/internal/http/services/owncloud/ocdav/copy.go index 7415b9cd0f..7379cff0bf 100644 --- a/internal/http/services/owncloud/ocdav/copy.go +++ b/internal/http/services/owncloud/ocdav/copy.go @@ -88,14 +88,14 @@ func (s *svc) handlePathCopy(w http.ResponseWriter, r *http.Request, ns string) return } - if err := ValidateName(src, s.nameValidators); err != nil { + if err := ValidateName(path.Base(src), s.nameValidators); err != nil { w.WriteHeader(http.StatusBadRequest) b, err := errors.Marshal(http.StatusBadRequest, "source failed naming rules", "") errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err) return } - if err := ValidateName(dst, s.nameValidators); err != nil { + if err := ValidateName(path.Base(dst), s.nameValidators); err != nil { w.WriteHeader(http.StatusBadRequest) b, err := errors.Marshal(http.StatusBadRequest, "destination failed naming rules", "") errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err) diff --git a/internal/http/services/owncloud/ocdav/mkcol.go b/internal/http/services/owncloud/ocdav/mkcol.go index 9b445a1439..71b84f8a7d 100644 --- a/internal/http/services/owncloud/ocdav/mkcol.go +++ b/internal/http/services/owncloud/ocdav/mkcol.go @@ -40,7 +40,7 @@ func (s *svc) handlePathMkcol(w http.ResponseWriter, r *http.Request, ns string) defer span.End() fn := path.Join(ns, r.URL.Path) - if err := ValidateName(fn, s.nameValidators); err != nil { + if err := ValidateName(path.Base(fn), s.nameValidators); err != nil { return http.StatusBadRequest, err } sublog := appctx.GetLogger(ctx).With().Str("path", fn).Logger() diff --git a/internal/http/services/owncloud/ocdav/move.go b/internal/http/services/owncloud/ocdav/move.go index f08e308177..bf45df209b 100644 --- a/internal/http/services/owncloud/ocdav/move.go +++ b/internal/http/services/owncloud/ocdav/move.go @@ -60,14 +60,14 @@ func (s *svc) handlePathMove(w http.ResponseWriter, r *http.Request, ns string) return } - if err := ValidateName(srcPath, s.nameValidators); err != nil { + if err := ValidateName(path.Base(srcPath), s.nameValidators); err != nil { w.WriteHeader(http.StatusBadRequest) b, err := errors.Marshal(http.StatusBadRequest, "source failed naming rules", "") errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err) return } - if err := ValidateName(dstPath, s.nameValidators); err != nil { + if err := ValidateName(path.Base(dstPath), s.nameValidators); err != nil { w.WriteHeader(http.StatusBadRequest) b, err := errors.Marshal(http.StatusBadRequest, "destination naming rules", "") errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err) diff --git a/internal/http/services/owncloud/ocdav/put.go b/internal/http/services/owncloud/ocdav/put.go index 7c30eb1275..e648582c0d 100644 --- a/internal/http/services/owncloud/ocdav/put.go +++ b/internal/http/services/owncloud/ocdav/put.go @@ -141,8 +141,7 @@ func (s *svc) handlePut(ctx context.Context, w http.ResponseWriter, r *http.Requ return } - fn := filepath.Base(ref.Path) - if err := ValidateName(fn, s.nameValidators); err != nil { + if err := ValidateName(filepath.Base(ref.Path), s.nameValidators); err != nil { w.WriteHeader(http.StatusBadRequest) b, err := errors.Marshal(http.StatusBadRequest, err.Error(), "") errors.HandleWebdavError(&log, w, b, err) diff --git a/internal/http/services/owncloud/ocdav/tus.go b/internal/http/services/owncloud/ocdav/tus.go index 1a7fd36e2d..6fbbbb6e43 100644 --- a/internal/http/services/owncloud/ocdav/tus.go +++ b/internal/http/services/owncloud/ocdav/tus.go @@ -57,7 +57,7 @@ func (s *svc) handlePathTusPost(w http.ResponseWriter, r *http.Request, ns strin // read filename from metadata meta := tusd.ParseMetadataHeader(r.Header.Get(net.HeaderUploadMetadata)) - if err := ValidateName(meta["filename"], s.nameValidators); err != nil { + if err := ValidateName(path.Base(meta["filename"]), s.nameValidators); err != nil { w.WriteHeader(http.StatusPreconditionFailed) return } @@ -81,7 +81,7 @@ func (s *svc) handleSpacesTusPost(w http.ResponseWriter, r *http.Request, spaceI // read filename from metadata meta := tusd.ParseMetadataHeader(r.Header.Get(net.HeaderUploadMetadata)) - if err := ValidateName(meta["filename"], s.nameValidators); err != nil { + if err := ValidateName(path.Base(meta["filename"]), s.nameValidators); err != nil { w.WriteHeader(http.StatusPreconditionFailed) return } From 3453503f7095047e9e0252a12b0ebdf425c2ea49 Mon Sep 17 00:00:00 2001 From: kobergj Date: Tue, 31 Oct 2023 08:48:52 +0100 Subject: [PATCH 2/2] Update changelog/unreleased/fix-filename-length-check.md Co-authored-by: Michael Barz --- changelog/unreleased/fix-filename-length-check.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/unreleased/fix-filename-length-check.md b/changelog/unreleased/fix-filename-length-check.md index 0692a293ad..397addfffb 100644 --- a/changelog/unreleased/fix-filename-length-check.md +++ b/changelog/unreleased/fix-filename-length-check.md @@ -1,5 +1,5 @@ Bugfix: Fix checking of filename length -Instead of checking for length of the filename the ocs handler would sometimes check for complete file path. +Instead of checking for length of the filename the ocdav handler would sometimes check for complete file path. https://github.com/cs3org/reva/pull/4302