fix: Do not leak data directory in exception (security)

susnux · susnux · commit ee7ad79662aa · 2024-07-09T14:34:39.000+02:00
Signed-off-by: Ferdinand Thiessen &lt;opensource@fthiessen.de&gt;
diff --git a/lib/private/Files/Storage/Local.php b/lib/private/Files/Storage/Local.php
@@ -321,7 +321,9 @@ private function checkTreeForForbiddenItems(string $path) {
 		/** @var \SplFileInfo $file */
 		foreach ($iterator as $file) {
 			if (!$this->getFilenameValidator()->isFilenameValid($file->getBasename())) {
-				throw new ForbiddenException('Invalid path: ' . $file->getPathname(), false);
+				// Do not leak data dir
+				$filePath = substr($file->getPathname(), strlen($this->datadir));
+				throw new ForbiddenException('Invalid path: ' . $filePath, false);
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -321,7 +321,9 @@ private function checkTreeForForbiddenItems(string $path) {`
`321`	`321`	`/** @var \SplFileInfo $file */`
`322`	`322`	`foreach ($iterator as $file) {`
`323`	`323`	`if (!$this->getFilenameValidator()->isFilenameValid($file->getBasename())) {`
`324`		`- throw new ForbiddenException('Invalid path: ' . $file->getPathname(), false);`
	`324`	`+ // Do not leak data dir`
	`325`	`+ $filePath = substr($file->getPathname(), strlen($this->datadir));`
	`326`	`+ throw new ForbiddenException('Invalid path: ' . $filePath, false);`
`325`	`327`	`}`
`326`	`328`	`}`
`327`	`329`	`}`