From 7509d9c45f7f365f4089e641fbed06bc31e60c43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Mon, 26 Aug 2024 15:58:06 +0200 Subject: [PATCH] fix: Apply checks on shares in the middleware MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl Signed-off-by: Max --- lib/Middleware/SessionMiddleware.php | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/lib/Middleware/SessionMiddleware.php b/lib/Middleware/SessionMiddleware.php index b74e009f0e3..8073aabf4de 100644 --- a/lib/Middleware/SessionMiddleware.php +++ b/lib/Middleware/SessionMiddleware.php @@ -16,10 +16,12 @@ use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\Response; use OCP\AppFramework\Middleware; +use OCP\Constants; use OCP\Files\IRootFolder; use OCP\Files\NotPermittedException; use OCP\IL10N; use OCP\IRequest; +use OCP\ISession; use OCP\IUserSession; use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager as ShareManager; @@ -31,6 +33,7 @@ public function __construct( private IRequest $request, private SessionService $sessionService, private DocumentService $documentService, + private ISession $session, private IUserSession $userSession, private IRootFolder $rootFolder, private ShareManager $shareManager, @@ -116,7 +119,7 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo $documentId = (int)$this->request->getParam('documentId'); if (null !== $userId = $this->userSession->getUser()?->getUID()) { // Check if user has access to document - if (count($this->rootFolder->getUserFolder($userId)->getById($documentId)) === 0) { + if ($this->rootFolder->getUserFolder($userId)->getFirstNodeById($documentId) === null) { throw new InvalidSessionException(); } $controller->setUserId($userId); @@ -126,8 +129,25 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo } catch (ShareNotFound) { throw new InvalidSessionException(); } - // Check if shareToken has access to document - if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) { + + $node = $this->rootFolder->getUserFolder($share->getShareOwner())->getFirstNodeById($documentId); + if ($node === null) { + throw new InvalidSessionException(); + } + + if ($share->getPassword() !== null) { + $shareId = $this->session->get('public_link_authenticated'); + if ($share->getId() !== $shareId) { + throw new InvalidSessionException(); + } + } + + if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) { + throw new InvalidSessionException(); + } + + $attributes = $share->getAttributes(); + if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) { throw new InvalidSessionException(); } } else {