diff --git a/api/src/CalDAV.php b/api/src/CalDAV.php index 0a40c0809e..0f352df294 100644 --- a/api/src/CalDAV.php +++ b/api/src/CalDAV.php @@ -2054,6 +2054,17 @@ class CalDAV extends HTTP_WebDAV_Server if (self::$request_starttime) self::log_request(); } + /** + * Sanitizing filename to gard agains path traversal and / eg. in UserAgent string + * + * @param string $filename + * @return string + */ + public static function sanitize_filename($filename) + { + return str_replace(array('../', '/'), array('', '!'), $filename); + } + /** * Log the request * @@ -2067,12 +2078,12 @@ class CalDAV extends HTTP_WebDAV_Server { $msg_file = $GLOBALS['egw_info']['server']['files_dir']; $msg_file .= '/groupdav'; - if (!file_exists($msg_file) && !mkdir($msg_file,0700)) + $msg_file .= '/'.self::sanitize_filename($GLOBALS['egw_info']['user']['account_lid']).'/'; + if (!file_exists($msg_file) && !mkdir($msg_file, 0700, true)) { error_log(__METHOD__."() Could NOT create directory '$msg_file'!"); return; } - $msg_file .= '/'.$GLOBALS['egw_info']['user']['account_lid'].'-'; // stop CalDAVTester from creating one log per test-step if (substr($_SERVER['HTTP_USER_AGENT'], 0, 14) == 'scripts/tests/') { @@ -2080,7 +2091,7 @@ class CalDAV extends HTTP_WebDAV_Server } else { - $msg_file .= str_replace('/','!',$_SERVER['HTTP_USER_AGENT']).'.log'; + $msg_file .= self::sanitize_filename($_SERVER['HTTP_USER_AGENT']).'.log'; } $content = '*** '.$_SERVER['REMOTE_ADDR'].' '.date('c')."\n"; } diff --git a/api/src/CalDAV/Hooks.php b/api/src/CalDAV/Hooks.php index 4fd3475054..fe689f3d61 100644 --- a/api/src/CalDAV/Hooks.php +++ b/api/src/CalDAV/Hooks.php @@ -105,17 +105,16 @@ class Hooks if ($GLOBALS['type'] === 'user') { $logs = array(); - if (file_exists($log_dir=$GLOBALS['egw_info']['server']['files_dir'].'/groupdav') && ($files = scandir($log_dir))) + $relativ_log_dir .= 'groupdav/'.Api\CalDAV::sanitize_filename(Api\Accounts::id2name($hook_data['account_id'])); + $log_dir = $GLOBALS['egw_info']['server']['files_dir'].'/'.$relativ_log_dir; + if (file_exists($log_dir) && ($files = scandir($log_dir))) { - $account_lid = Api\Accounts::id2name($hook_data['account_id']); - $account_lid_len = strlen($account_lid); foreach($files as $log) { - if (substr($log,0,$account_lid_len+1) == $account_lid.'-' && - substr($log,-4) == '.log') + if (substr($log, -4) == '.log') { - $logs['groupdav/'.$log] = Api\DateTime::to(filemtime($log_dir.'/'.$log)).': '. - str_replace('!','/',substr($log,$account_lid_len+1,-4)); + $logs[$relativ_log_dir.'/'.$log] = Api\DateTime::to(filemtime($log_dir.'/'.$log)).': '. + str_replace('!', '/', $log); } } } @@ -155,8 +154,8 @@ class Hooks { $filename = $_GET['filename']; $matches = null; - if (!preg_match('|^groupdav/'.($GLOBALS['egw_info']['user']['apps']['admin'] ? '[^-]+' : - preg_quote($GLOBALS['egw_info']['user']['account_lid'], '|')).'-(.*)\.log$|', $filename, $matches)) + if (!preg_match('|^groupdav/'.($GLOBALS['egw_info']['user']['apps']['admin'] ? '[^/]+/' : + preg_quote(Api\CalDAV::sanitize_filename($GLOBALS['egw_info']['user']['account_lid']), '|')).'(.*)\.log$|', $filename, $matches)) { throw new Api\Exception\WrongParameter("Access denied to file '$filename'!"); }