Skip to content

Commit 76516a7

Browse files
provokateurinprovokateurin
authored
Merge pull request #3235 from nextcloud/backport/3230/stable32
2 parents c18a64a + 4156248 commit 76516a7

2 files changed

Lines changed: 48 additions & 3 deletions

File tree

lib/Controller/ApiController.php

Lines changed: 47 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@
88

99
namespace OCA\Photos\Controller;
1010

11+
use JsonException;
1112
use OCA\Photos\AppInfo\Application;
12-
use OCA\Photos\Service\UserConfigService;
1313
use OCP\AppFramework\Controller;
1414
use OCP\AppFramework\Http;
1515
use OCP\AppFramework\Http\ContentSecurityPolicy;
@@ -50,14 +50,58 @@ public function setUserConfig(string $key, string $value): JSONResponse {
5050
return new JSONResponse([], Http::STATUS_PRECONDITION_FAILED);
5151
}
5252

53-
if (!in_array($key, array_keys(UserConfigService::DEFAULT_CONFIGS))) {
54-
return new JSONResponse([], Http::STATUS_PRECONDITION_FAILED);
53+
switch ($key) {
54+
case 'croppedLayout':
55+
if ($value !== 'true' && $value !== 'false') {
56+
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
57+
}
58+
break;
59+
case 'photosLocation':
60+
if (!$this->validatePath($value)) {
61+
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
62+
}
63+
break;
64+
case 'photosSourceFolders':
65+
try {
66+
$paths = json_decode($value, true, 512, JSON_THROW_ON_ERROR);
67+
} catch (JsonException) {
68+
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
69+
}
70+
71+
if (!array_is_list($paths)) {
72+
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
73+
}
74+
75+
foreach ($paths as $path) {
76+
if (!$this->validatePath($path)) {
77+
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
78+
}
79+
}
80+
break;
81+
default:
82+
return new JSONResponse([], Http::STATUS_BAD_REQUEST);
5583
}
5684

5785
$this->config->setUserValue($user->getUid(), Application::APP_ID, $key, $value);
5886
return new JSONResponse([], Http::STATUS_OK);
5987
}
6088

89+
private function validatePath(mixed $path): bool {
90+
if (!is_string($path)) {
91+
return false;
92+
}
93+
94+
if (!str_starts_with($path, '/')) {
95+
return false;
96+
}
97+
98+
if (str_contains($path, '..')) {
99+
return false;
100+
}
101+
102+
return true;
103+
}
104+
61105
/**
62106
* @NoAdminRequired
63107
* @NoCSRFRequired

lib/Service/UserConfigService.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ class UserConfigService {
1818
'croppedLayout' => 'false',
1919
'photosLocation' => '/Photos',
2020
'photosSourceFolders' => '["/Photos"]',
21+
/** If you add any new configs, make sure to validate the contents in {@see \OCA\Photos\Controller\ApiController::setUserConfig} */
2122
];
2223

2324
private readonly IConfig $config;

0 commit comments

Comments
 (0)