extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-12-17 04:00:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

store CalDAV/CardDAV log in user spezific log directories

Browse Source
This commit is contained in:
Ralf Becker 2017-10-30 14:59:58 +01:00
parent 324f0b664b
commit a4526c98cb
2 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
api/src/CalDAV.php
View File

@ -2054,6 +2054,17 @@ class CalDAV extends HTTP_WebDAV_Server
if (self::$request_starttime) self::log_request(); if (self::$request_starttime) self::log_request();
} }
/**
* Sanitizing filename to gard agains path traversal and / eg. in UserAgent string
*
* @param string $filename
* @return string
*/
public static function sanitize_filename($filename)
{
return str_replace(array('../', '/'), array('', '!'), $filename);
}
/** /**
* Log the request * Log the request
* *
@ -2067,12 +2078,12 @@ class CalDAV extends HTTP_WebDAV_Server
{ {
$msg_file = $GLOBALS['egw_info']['server']['files_dir']; $msg_file = $GLOBALS['egw_info']['server']['files_dir'];
$msg_file .= '/groupdav'; $msg_file .= '/groupdav';
if (!file_exists($msg_file) && !mkdir($msg_file,0700)) $msg_file .= '/'.self::sanitize_filename($GLOBALS['egw_info']['user']['account_lid']).'/';
if (!file_exists($msg_file) && !mkdir($msg_file, 0700, true))
{ {
error_log(__METHOD__."() Could NOT create directory '$msg_file'!"); error_log(__METHOD__."() Could NOT create directory '$msg_file'!");
return; return;
} }
$msg_file .= '/'.$GLOBALS['egw_info']['user']['account_lid'].'-';
// stop CalDAVTester from creating one log per test-step // stop CalDAVTester from creating one log per test-step
if (substr($_SERVER['HTTP_USER_AGENT'], 0, 14) == 'scripts/tests/') if (substr($_SERVER['HTTP_USER_AGENT'], 0, 14) == 'scripts/tests/')
{ {
@ -2080,7 +2091,7 @@ class CalDAV extends HTTP_WebDAV_Server
} }
else else
{ {
$msg_file .= str_replace('/','!',$_SERVER['HTTP_USER_AGENT']).'.log'; $msg_file .= self::sanitize_filename($_SERVER['HTTP_USER_AGENT']).'.log';
} }
$content = '*** '.$_SERVER['REMOTE_ADDR'].' '.date('c')."\n"; $content = '*** '.$_SERVER['REMOTE_ADDR'].' '.date('c')."\n";
} }

17
api/src/CalDAV/Hooks.php
View File

@ -105,17 +105,16 @@ class Hooks
if ($GLOBALS['type'] === 'user') if ($GLOBALS['type'] === 'user')
{ {
$logs = array(); $logs = array();
if (file_exists($log_dir=$GLOBALS['egw_info']['server']['files_dir'].'/groupdav') && ($files = scandir($log_dir))) $relativ_log_dir .= 'groupdav/'.Api\CalDAV::sanitize_filename(Api\Accounts::id2name($hook_data['account_id']));
$log_dir = $GLOBALS['egw_info']['server']['files_dir'].'/'.$relativ_log_dir;
if (file_exists($log_dir) && ($files = scandir($log_dir)))
{ {
$account_lid = Api\Accounts::id2name($hook_data['account_id']);
$account_lid_len = strlen($account_lid);
foreach($files as $log) foreach($files as $log)
{ {
if (substr($log,0,$account_lid_len+1) == $account_lid.'-' && if (substr($log, -4) == '.log')
substr($log,-4) == '.log')
{ {
$logs['groupdav/'.$log] = Api\DateTime::to(filemtime($log_dir.'/'.$log)).': '. $logs[$relativ_log_dir.'/'.$log] = Api\DateTime::to(filemtime($log_dir.'/'.$log)).': '.
str_replace('!','/',substr($log,$account_lid_len+1,-4)); str_replace('!', '/', $log);
} }
} }
} }
@ -155,8 +154,8 @@ class Hooks
{ {
$filename = $_GET['filename']; $filename = $_GET['filename'];
$matches = null; $matches = null;
if (!preg_match('|^groupdav/'.($GLOBALS['egw_info']['user']['apps']['admin'] ? '[^-]+' : if (!preg_match('|^groupdav/'.($GLOBALS['egw_info']['user']['apps']['admin'] ? '[^/]+/' :
preg_quote($GLOBALS['egw_info']['user']['account_lid'], '|')).'-(.*)\.log$|', $filename, $matches)) preg_quote(Api\CalDAV::sanitize_filename($GLOBALS['egw_info']['user']['account_lid']), '|')).'(.*)\.log$|', $filename, $matches))
{ {
throw new Api\Exception\WrongParameter("Access denied to file '$filename'!"); throw new Api\Exception\WrongParameter("Access denied to file '$filename'!");
} }