From a4526c98cbfb58908d7254824b58892fb58c83ef Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Mon, 30 Oct 2017 14:59:58 +0100
Subject: [PATCH] store CalDAV/CardDAV log in user spezific log directories

---
 api/src/CalDAV.php       | 17 ++++++++++++++---
 api/src/CalDAV/Hooks.php | 17 ++++++++---------
 2 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/api/src/CalDAV.php b/api/src/CalDAV.php
index 0a40c0809e..0f352df294 100644
--- a/api/src/CalDAV.php
+++ b/api/src/CalDAV.php
@@ -2054,6 +2054,17 @@ class CalDAV extends HTTP_WebDAV_Server
 		if (self::$request_starttime) self::log_request();
 	}
 
+	/**
+	 * Sanitizing filename to gard agains path traversal and / eg. in UserAgent string
+	 *
+	 * @param string $filename
+	 * @return string
+	 */
+	public static function sanitize_filename($filename)
+	{
+		return str_replace(array('../', '/'), array('', '!'), $filename);
+	}
+
 	/**
 	 * Log the request
 	 *
@@ -2067,12 +2078,12 @@ class CalDAV extends HTTP_WebDAV_Server
 			{
 				$msg_file = $GLOBALS['egw_info']['server']['files_dir'];
 				$msg_file .= '/groupdav';
-				if (!file_exists($msg_file) && !mkdir($msg_file,0700))
+				$msg_file .= '/'.self::sanitize_filename($GLOBALS['egw_info']['user']['account_lid']).'/';
+				if (!file_exists($msg_file) && !mkdir($msg_file, 0700, true))
 				{
 					error_log(__METHOD__."() Could NOT create directory '$msg_file'!");
 					return;
 				}
-				$msg_file .= '/'.$GLOBALS['egw_info']['user']['account_lid'].'-';
 				// stop CalDAVTester from creating one log per test-step
 				if (substr($_SERVER['HTTP_USER_AGENT'], 0, 14) == 'scripts/tests/')
 				{
@@ -2080,7 +2091,7 @@ class CalDAV extends HTTP_WebDAV_Server
 				}
 				else
 				{
-					$msg_file .= str_replace('/','!',$_SERVER['HTTP_USER_AGENT']).'.log';
+					$msg_file .= self::sanitize_filename($_SERVER['HTTP_USER_AGENT']).'.log';
 				}
 				$content = '*** '.$_SERVER['REMOTE_ADDR'].' '.date('c')."\n";
 			}
diff --git a/api/src/CalDAV/Hooks.php b/api/src/CalDAV/Hooks.php
index 4fd3475054..fe689f3d61 100644
--- a/api/src/CalDAV/Hooks.php
+++ b/api/src/CalDAV/Hooks.php
@@ -105,17 +105,16 @@ class Hooks
 			if ($GLOBALS['type'] === 'user')
 			{
 				$logs = array();
-				if (file_exists($log_dir=$GLOBALS['egw_info']['server']['files_dir'].'/groupdav') && ($files = scandir($log_dir)))
+				$relativ_log_dir .= 'groupdav/'.Api\CalDAV::sanitize_filename(Api\Accounts::id2name($hook_data['account_id']));
+				$log_dir = $GLOBALS['egw_info']['server']['files_dir'].'/'.$relativ_log_dir;
+				if (file_exists($log_dir) && ($files = scandir($log_dir)))
 				{
-					$account_lid = Api\Accounts::id2name($hook_data['account_id']);
-					$account_lid_len = strlen($account_lid);
 					foreach($files as $log)
 					{
-						if (substr($log,0,$account_lid_len+1) == $account_lid.'-' &&
-							substr($log,-4) == '.log')
+						if (substr($log, -4) == '.log')
 						{
-							$logs['groupdav/'.$log] = Api\DateTime::to(filemtime($log_dir.'/'.$log)).': '.
-								str_replace('!','/',substr($log,$account_lid_len+1,-4));
+							$logs[$relativ_log_dir.'/'.$log] = Api\DateTime::to(filemtime($log_dir.'/'.$log)).': '.
+								str_replace('!', '/', $log);
 						}
 					}
 				}
@@ -155,8 +154,8 @@ class Hooks
 	{
 		$filename = $_GET['filename'];
 		$matches = null;
-		if (!preg_match('|^groupdav/'.($GLOBALS['egw_info']['user']['apps']['admin'] ? '[^-]+' :
-			preg_quote($GLOBALS['egw_info']['user']['account_lid'], '|')).'-(.*)\.log$|', $filename, $matches))
+		if (!preg_match('|^groupdav/'.($GLOBALS['egw_info']['user']['apps']['admin'] ? '[^/]+/' :
+			preg_quote(Api\CalDAV::sanitize_filename($GLOBALS['egw_info']['user']['account_lid']), '|')).'(.*)\.log$|', $filename, $matches))
 		{
 			throw new Api\Exception\WrongParameter("Access denied to file '$filename'!");
 		}