Skip to content

Commit e90f9e3

Browse files
nickvergessennickvergessen
committed
fix(appmanager): Fix tainted file path when loading appinfos
Signed-off-by: Joas Schilling <[email protected]>
1 parent 5bd1873 commit e90f9e3

6 files changed

Lines changed: 34 additions & 27 deletions

File tree

build/psalm-baseline-security.xml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,11 +22,6 @@
2222
<code><![CDATA['Location: ' . \OC::$WEBROOT . '/']]></code>
2323
</TaintedHeader>
2424
</file>
25-
<file src="lib/private/App/InfoParser.php">
26-
<TaintedFile>
27-
<code><![CDATA[$file]]></code>
28-
</TaintedFile>
29-
</file>
3025
<file src="lib/private/AppFramework/Utility/SimpleContainer.php">
3126
<TaintedCallable>
3227
<code><![CDATA[$name]]></code>

build/psalm-baseline.xml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2750,10 +2750,6 @@
27502750
<NullArgument>
27512751
<code><![CDATA[null]]></code>
27522752
</NullArgument>
2753-
<TypeDoesNotContainNull>
2754-
<code><![CDATA[$appId === null]]></code>
2755-
<code><![CDATA[$appId === null]]></code>
2756-
</TypeDoesNotContainNull>
27572753
</file>
27582754
<file src="lib/private/legacy/OC_Helper.php">
27592755
<InvalidArrayOffset>

lib/private/App/AppManager.php

Lines changed: 21 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -744,28 +744,35 @@ public function getAppsNeedingUpgrade($version) {
744744
*/
745745
public function getAppInfo(string $appId, bool $path = false, $lang = null) {
746746
if ($path) {
747-
$file = $appId;
748-
} else {
749-
if ($lang === null && isset($this->appInfos[$appId])) {
750-
return $this->appInfos[$appId];
751-
}
752-
try {
753-
$appPath = $this->getAppPath($appId);
754-
} catch (AppPathNotFoundException $e) {
755-
return null;
756-
}
757-
$file = $appPath . '/appinfo/info.xml';
747+
throw new \InvalidArgumentException('Calling IAppManager::getAppInfo() with a path is no longer supported. Please call IAppManager::getAppInfoByPath() instead and verify that the path is good before calling.');
748+
}
749+
if ($lang === null && isset($this->appInfos[$appId])) {
750+
return $this->appInfos[$appId];
751+
}
752+
try {
753+
$appPath = $this->getAppPath($appId);
754+
} catch (AppPathNotFoundException $e) {
755+
return null;
756+
}
757+
$file = $appPath . '/appinfo/info.xml';
758+
759+
return $this->getAppInfoByPath($file, $lang);
760+
}
761+
762+
public function getAppInfoByPath(string $path, ?string $lang = null): ?array {
763+
if (!str_ends_with($path, '/appinfo/info.xml')) {
764+
return null;
758765
}
759766

760767
$parser = new InfoParser($this->memCacheFactory->createLocal('core.appinfo'));
761-
$data = $parser->parse($file);
768+
$data = $parser->parse($path);
762769

763770
if (is_array($data)) {
764771
$data = \OC_App::parseAppInfo($data, $lang);
765772
}
766773

767-
if ($lang === null) {
768-
$this->appInfos[$appId] = $data;
774+
if ($lang === null && isset($data['id'])) {
775+
$this->appInfos[$data['id']] = $data;
769776
}
770777

771778
return $data;

lib/private/Installer.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ public function installApp(string $appId, bool $forceEnable = false): string {
6565
}
6666

6767
$l = \OCP\Util::getL10N('core');
68-
$info = \OCP\Server::get(IAppManager::class)->getAppInfo($basedir . '/appinfo/info.xml', true, $l->getLanguageCode());
68+
$info = \OCP\Server::get(IAppManager::class)->getAppInfoByPath($basedir . '/appinfo/info.xml', $l->getLanguageCode());
6969

7070
if (!is_array($info)) {
7171
throw new \Exception(

lib/private/legacy/OC_App.php

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -313,7 +313,8 @@ public static function findAppInDirectories(string $appId, bool $ignoreCache = f
313313
* @deprecated 11.0.0 use \OCP\Server::get(IAppManager)->getAppPath()
314314
*/
315315
public static function getAppPath(string $appId, bool $refreshAppPath = false) {
316-
if ($appId === null || trim($appId) === '') {
316+
$appId = self::cleanAppId($appId);
317+
if ($appId === '') {
317318
return false;
318319
}
319320

@@ -346,7 +347,7 @@ public static function getAppWebPath(string $appId) {
346347
*/
347348
public static function getAppVersionByPath(string $path): string {
348349
$infoFile = $path . '/appinfo/info.xml';
349-
$appData = \OC::$server->getAppManager()->getAppInfo($infoFile, true);
350+
$appData = \OCP\Server::get(IAppManager::class)->getAppInfoByPath($infoFile);
350351
return $appData['version'] ?? '';
351352
}
352353

lib/public/App/IAppManager.php

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,14 +25,22 @@ interface IAppManager {
2525
public const BACKEND_CALDAV = 'caldav';
2626

2727
/**
28-
* Returns the app information from "appinfo/info.xml".
28+
* Returns the app information from "appinfo/info.xml" for an app
2929
*
3030
* @param string|null $lang
3131
* @return array|null
3232
* @since 14.0.0
33+
* @since 31.0.0 Usage of $path is discontinued and throws an \InvalidArgumentException, use {@see self::getAppInfoByPath} instead.
3334
*/
3435
public function getAppInfo(string $appId, bool $path = false, $lang = null);
3536

37+
/**
38+
* Returns the app information from a given path ending with "/appinfo/info.xml"
39+
*
40+
* @since 31.0.0
41+
*/
42+
public function getAppInfoByPath(string $path, ?string $lang = null): ?array;
43+
3644
/**
3745
* Returns the app information from "appinfo/info.xml".
3846
*

0 commit comments

Comments
 (0)