From 835c5d271fd3a8863f774737dca36c463578a719 Mon Sep 17 00:00:00 2001 From: tbrehm Date: Wed, 4 Apr 2012 07:10:31 +0000 Subject: [PATCH] Extended path checks for webdav users in apache plugin. --- .../plugins-available/apache2_plugin.inc.php | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php index c885f70a9..9724317d6 100644 --- a/server/plugins-available/apache2_plugin.inc.php +++ b/server/plugins-available/apache2_plugin.inc.php @@ -1576,6 +1576,7 @@ class apache2_plugin { $domain = $sitedata['domain']; $user = $sitedata['system_user']; $group = $sitedata['system_group']; + $webdav_user_dir = $documentRoot . '/webdav/' . $data['new']['dir']; /* Check if this is a chrooted setup */ if($web_config['website_basedir'] != '' && @is_file($web_config['website_basedir'].'/etc/passwd')) { @@ -1584,13 +1585,25 @@ class apache2_plugin { } else { $apache_chrooted = false; } + + //* We dont want to have relative paths here + if(stristr($webdav_user_dir,'..') || stristr($webdav_user_dir,'./')) { + $app->log('Folder path '.$webdav_user_dir.' contains ./ or .. '.$documentRoot,LOGLEVEL_WARN); + return false; + } + + //* Check if the resulting path exists if yes, if it is inside the docroot + if(is_dir($webdav_user_dir) && substr(realpath($webdav_user_dir),0,strlen($documentRoot)) != $documentRoot) { + $app->log('Folder path '.$webdav_user_dir.' is outside of docroot '.$documentRoot,LOGLEVEL_WARN); + return false; + } /* * First the webdav-root - folder has to exist */ - if(!is_dir($documentRoot . '/webdav/' . $data['new']['dir'])) { - $app->log('Webdav User directory '.$documentRoot.'/webdav/'.$data['new']['dir'].' does not exist. Creating it now.',LOGLEVEL_DEBUG); - exec('mkdir -p '.escapeshellcmd($documentRoot . '/webdav/' . $data['new']['dir'])); + if(!is_dir($webdav_user_dir)) { + $app->log('Webdav User directory '.$webdav_user_dir.' does not exist. Creating it now.',LOGLEVEL_DEBUG); + exec('mkdir -p '.escapeshellcmd($webdav_user_dir)); } /* @@ -1603,19 +1616,19 @@ class apache2_plugin { * The webdav folder (not the webdav-root!) needs the same (not in ONE step, because the * pwd-files are owned by root) */ - $this->_exec('chown ' . $user . ':' . $group . ' ' . escapeshellcmd($documentRoot . '/webdav/'. $data['new']['dir'] . ' -R')); - $this->_exec('chmod 770 ' . escapeshellcmd($documentRoot . '/webdav/' . $data['new']['dir'] . ' -R')); + $this->_exec('chown ' . $user . ':' . $group . ' ' . escapeshellcmd($webdav_user_dir.' -R')); + $this->_exec('chmod 770 ' . escapeshellcmd($webdav_user_dir.' -R')); /* * if the user is active, we have to write/update the password - file * if the user is inactive, we have to inactivate the user by removing the user from the file */ if ($data['new']['active'] == 'y') { - $this->_writeHtDigestFile( $documentRoot . '/webdav/' . $data['new']['dir'] . '.htdigest', $data['new']['username'], $data['new']['dir'], $data['new']['password']); + $this->_writeHtDigestFile( $webdav_user_dir . '.htdigest', $data['new']['username'], $data['new']['dir'], $data['new']['password']); } else { /* empty pwd removes the user! */ - $this->_writeHtDigestFile( $documentRoot . '/webdav/' . $data['new']['dir'] . '.htdigest', $data['new']['username'], $data['new']['dir'], ''); + $this->_writeHtDigestFile( $webdav_user_dir . '.htdigest', $data['new']['username'], $data['new']['dir'], ''); } /* -- GitLab