some precaution to never allow to (recursivly) remove /, /apps or /home

2025-01-05 21:49:28 +01:00 · 2009-08-12 09:55:41 +00:00 · 2009-08-12 09:55:41 +00:00 · 39fee5d8bc
commit 39fee5d8bc
parent 9b3dc190fe
3 changed files with 28 additions and 2 deletions
--- a/filemanager/inc/class.filemanager_ui.inc.php
+++ b/filemanager/inc/class.filemanager_ui.inc.php
@ -61,6 +61,7 @@ class filemanager_ui
 				in_array($user,split(', *',$GLOBALS['egw_info']['server']['vfs_root_user'])) &&
 				$GLOBALS['egw']->auth->authenticate($user, $password, 'text');
 		}
+		//echo "<p>".__METHOD__."('$user','$password') user_pw_hash(...)='".egw_session::user_pw_hash($user,$password)."', config_hash='{$GLOBALS['egw_info']['server']['config_hash']}' --> returning ".array2string($is_root)."</p>\n";
 		return egw_session::appsession('is_root','filemanager',egw_vfs::$is_root = $is_root);
 	}

@ -365,6 +366,14 @@ class filemanager_ui
 		switch($action)
 		{
 			case 'delete':
+				// some precaution to never allow to (recursivly) remove /, /apps or /home
+				foreach((array)$selected as $path)
+				{
+					if (preg_match('/^\/?(home|apps|)\/*$/',$path))
+					{
+						return lang("Cautiously rejecting to remove folder '$path'!");
+					}
+				}
 				$dirs = $files = $errs = 0;
 				foreach(egw_vfs::find($selected,array('depth'=>true)) as $path)
 				{
--- a/phpgwapi/inc/class.egw_vfs.inc.php
+++ b/phpgwapi/inc/class.egw_vfs.inc.php
@ -540,7 +540,15 @@ class egw_vfs extends vfs_stream_wrapper
 	 */
 	static function remove($urls,$allow_urls=false)
 	{
-		//error_log(__METHOD__.'('.print_r($urls).')');
+		//error_log(__METHOD__.'('.array2string($urls).')');
+		// some precaution to never allow to (recursivly) remove /, /apps or /home
+		foreach((array)$urls as $url)
+		{
+			if (preg_match('/^\/?(home|apps|)\/*$/',parse_url($url,PHP_URL_PATH)))
+			{
+				throw new egw_exception_assertion_failed(__METHOD__.'('.array2string($urls).") Cautiously rejecting to remove folder '$url'!");
+			}
+		}
 		return self::find($urls,array('depth'=>true,'url'=>$allow_urls),array(__CLASS__,'_rm_rmdir'));
 	}

--- a/phpgwapi/inc/class.vfs_home_hooks.inc.php
+++ b/phpgwapi/inc/class.vfs_home_hooks.inc.php
@ -77,11 +77,15 @@ class vfs_home_hooks
 			// make the new owner the owner of the dir and it's content
 			egw_vfs::find($new_dir,array(),array('egw_vfs','chown'),$data['new_owner']);
 		}
-		else
+		elseif(!empty($data['account_lid']) && $data['account_lid'] != '/')
 		{
 			// delete the user-directory
 			egw_vfs::remove('/home/'.$data['account_lid']);
 		}
+		else
+		{
+			throw new egw_exception_assertion_failed(__METHOD__.'('.array2string($data).') account_lid NOT set!');
+		}
 		egw_vfs::$is_root = false;
 	}

@ -130,6 +134,11 @@ class vfs_home_hooks
 	 */
 	static function deleteGroup($data)
 	{
+
+		if(empty($data['account_name']) || $data['account_name'] == '/')
+		{
+			throw new egw_exception_assertion_failed(__METHOD__.'('.array2string($data).') account_name NOT set!');
+		}
 		// delete the group-directory
 		egw_vfs::$is_root = true;
 		egw_vfs::remove('/home/'.$data['account_name']);