some precaution to never allow to (recursivly) remove /, /apps or /home

This commit is contained in:
Ralf Becker 2009-08-12 09:55:41 +00:00
parent 9b3dc190fe
commit 39fee5d8bc
3 changed files with 28 additions and 2 deletions

View File

@ -61,6 +61,7 @@ class filemanager_ui
in_array($user,split(', *',$GLOBALS['egw_info']['server']['vfs_root_user'])) && in_array($user,split(', *',$GLOBALS['egw_info']['server']['vfs_root_user'])) &&
$GLOBALS['egw']->auth->authenticate($user, $password, 'text'); $GLOBALS['egw']->auth->authenticate($user, $password, 'text');
} }
//echo "<p>".__METHOD__."('$user','$password') user_pw_hash(...)='".egw_session::user_pw_hash($user,$password)."', config_hash='{$GLOBALS['egw_info']['server']['config_hash']}' --> returning ".array2string($is_root)."</p>\n";
return egw_session::appsession('is_root','filemanager',egw_vfs::$is_root = $is_root); return egw_session::appsession('is_root','filemanager',egw_vfs::$is_root = $is_root);
} }
@ -365,6 +366,14 @@ class filemanager_ui
switch($action) switch($action)
{ {
case 'delete': case 'delete':
// some precaution to never allow to (recursivly) remove /, /apps or /home
foreach((array)$selected as $path)
{
if (preg_match('/^\/?(home|apps|)\/*$/',$path))
{
return lang("Cautiously rejecting to remove folder '$path'!");
}
}
$dirs = $files = $errs = 0; $dirs = $files = $errs = 0;
foreach(egw_vfs::find($selected,array('depth'=>true)) as $path) foreach(egw_vfs::find($selected,array('depth'=>true)) as $path)
{ {

View File

@ -540,7 +540,15 @@ class egw_vfs extends vfs_stream_wrapper
*/ */
static function remove($urls,$allow_urls=false) static function remove($urls,$allow_urls=false)
{ {
//error_log(__METHOD__.'('.print_r($urls).')'); //error_log(__METHOD__.'('.array2string($urls).')');
// some precaution to never allow to (recursivly) remove /, /apps or /home
foreach((array)$urls as $url)
{
if (preg_match('/^\/?(home|apps|)\/*$/',parse_url($url,PHP_URL_PATH)))
{
throw new egw_exception_assertion_failed(__METHOD__.'('.array2string($urls).") Cautiously rejecting to remove folder '$url'!");
}
}
return self::find($urls,array('depth'=>true,'url'=>$allow_urls),array(__CLASS__,'_rm_rmdir')); return self::find($urls,array('depth'=>true,'url'=>$allow_urls),array(__CLASS__,'_rm_rmdir'));
} }

View File

@ -77,11 +77,15 @@ class vfs_home_hooks
// make the new owner the owner of the dir and it's content // make the new owner the owner of the dir and it's content
egw_vfs::find($new_dir,array(),array('egw_vfs','chown'),$data['new_owner']); egw_vfs::find($new_dir,array(),array('egw_vfs','chown'),$data['new_owner']);
} }
else elseif(!empty($data['account_lid']) && $data['account_lid'] != '/')
{ {
// delete the user-directory // delete the user-directory
egw_vfs::remove('/home/'.$data['account_lid']); egw_vfs::remove('/home/'.$data['account_lid']);
} }
else
{
throw new egw_exception_assertion_failed(__METHOD__.'('.array2string($data).') account_lid NOT set!');
}
egw_vfs::$is_root = false; egw_vfs::$is_root = false;
} }
@ -130,6 +134,11 @@ class vfs_home_hooks
*/ */
static function deleteGroup($data) static function deleteGroup($data)
{ {
if(empty($data['account_name']) || $data['account_name'] == '/')
{
throw new egw_exception_assertion_failed(__METHOD__.'('.array2string($data).') account_name NOT set!');
}
// delete the group-directory // delete the group-directory
egw_vfs::$is_root = true; egw_vfs::$is_root = true;
egw_vfs::remove('/home/'.$data['account_name']); egw_vfs::remove('/home/'.$data['account_name']);