From: Kevin Ottens Date: Mon, 18 May 2020 17:22:41 +0000 (+0200) Subject: Properly handle denormalized href X-Git-Tag: archive/raspbian/3.16.7-1_deb13u1+rpi1~1^2~222^2^2~229^2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=4d1ff01654027286d383c1f80e2372ca19e09478;p=nextcloud-desktop.git Properly handle denormalized href In case of denormalized paths in the dav href (presence of . or .. in the path) simple string startsWith comparison wasn't enough to know if said href ended up in the right namespace. That's why we're now using QUrl (pretending local file since we don't have a full URL in the href) to normalize the path before comparison. This could happen with broken proxies for instance where we would wrongly validate the dav information resulting in potentially surprising syncing and name collisions. Signed-off-by: Kevin Ottens --- diff --git a/src/libsync/networkjobs.cpp b/src/libsync/networkjobs.cpp index 885a89618..20e00f1a9 100644 --- a/src/libsync/networkjobs.cpp +++ b/src/libsync/networkjobs.cpp @@ -209,7 +209,9 @@ bool LsColXMLParser::parse(const QByteArray &xml, QHash" + "" + "/oc/remote.php/webdav/sharefolder/" + "" + "" + "00004213ocobzus5kn6s" + "RDNVCK" + "121780" + "\"5527beb0400b0\"" + "" + "" + "" + "Fri, 06 Feb 2015 13:49:55 GMT" + "" + "HTTP/1.1 200 OK" + "" + "" + "" + "" + "" + "" + "" + "HTTP/1.1 404 Not Found" + "" + "" + "" + "/oc/remote.php/webdav/sharefolder/../sharefolder/quitte.pdf" + "" + "" + "00004215ocobzus5kn6s" + "RDNVW" + "\"2fa2f0d9ed49ea0c3e409d49e652dea0\"" + "" + "Fri, 06 Feb 2015 13:49:55 GMT" + "121780" + "" + "HTTP/1.1 200 OK" + "" + "" + "" + "" + "" + "" + "HTTP/1.1 404 Not Found" + "" + "" + ""; + + + LsColXMLParser parser; + + connect( &parser, SIGNAL(directoryListingSubfolders(const QStringList&)), + this, SLOT(slotDirectoryListingSubFolders(const QStringList&)) ); + connect( &parser, SIGNAL(directoryListingIterated(const QString&, const QMap&)), + this, SLOT(slotDirectoryListingIterated(const QString&, const QMap&)) ); + connect( &parser, SIGNAL(finishedWithoutError()), + this, SLOT(slotFinishedSuccessfully()) ); + + QHash sizes; + QVERIFY(parser.parse( testXml, &sizes, "/oc/remote.php/webdav/sharefolder" )); + + QVERIFY(_success); + QCOMPARE(sizes.size(), 1 ); // Quota info in the XML + + QVERIFY(_items.contains("/oc/remote.php/webdav/sharefolder/quitte.pdf")); + QVERIFY(_items.contains("/oc/remote.php/webdav/sharefolder")); + QVERIFY(_items.size() == 2 ); + + QVERIFY(_subdirs.contains("/oc/remote.php/webdav/sharefolder/")); + QVERIFY(_subdirs.size() == 1); + } + + void testParserDenormalizedPathOutsideNamespace() { + const QByteArray testXml = "" + "" + "" + "/oc/remote.php/webdav/sharefolder/" + "" + "" + "00004213ocobzus5kn6s" + "RDNVCK" + "121780" + "\"5527beb0400b0\"" + "" + "" + "" + "Fri, 06 Feb 2015 13:49:55 GMT" + "" + "HTTP/1.1 200 OK" + "" + "" + "" + "" + "" + "" + "" + "HTTP/1.1 404 Not Found" + "" + "" + "" + "/oc/remote.php/webdav/sharefolder/../quitte.pdf" + "" + "" + "00004215ocobzus5kn6s" + "RDNVW" + "\"2fa2f0d9ed49ea0c3e409d49e652dea0\"" + "" + "Fri, 06 Feb 2015 13:49:55 GMT" + "121780" + "" + "HTTP/1.1 200 OK" + "" + "" + "" + "" + "" + "" + "HTTP/1.1 404 Not Found" + "" + "" + ""; + + + LsColXMLParser parser; + + connect( &parser, SIGNAL(directoryListingSubfolders(const QStringList&)), + this, SLOT(slotDirectoryListingSubFolders(const QStringList&)) ); + connect( &parser, SIGNAL(directoryListingIterated(const QString&, const QMap&)), + this, SLOT(slotDirectoryListingIterated(const QString&, const QMap&)) ); + connect( &parser, SIGNAL(finishedWithoutError()), + this, SLOT(slotFinishedSuccessfully()) ); + + QHash sizes; + QVERIFY(!parser.parse( testXml, &sizes, "/oc/remote.php/webdav/sharefolder" )); + + QVERIFY(!_success); + } + void testHrefUrlEncoding() { const QByteArray testXml = "" ""