Skip to content

Commit f079931

Browse files
nickvergessennickvergessen
authored
Merge pull request #48604 from nextcloud/bugfix/noid/fix-tainted-file-appinfo
fix(appmanager): Fix tainted file path when loading appinfos
2 parents ef532fe + 0744984 commit f079931

File tree

6 files changed

+38
-29
lines changed

6 files changed

+38
-29
lines changed

build/psalm-baseline-security.xml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -22,11 +22,6 @@
2222
<code><![CDATA['Location: ' . \OC::$WEBROOT . '/']]></code>
2323
</TaintedHeader>
2424
</file>
25-
<file src="lib/private/App/InfoParser.php">
26-
<TaintedFile>
27-
<code><![CDATA[$file]]></code>
28-
</TaintedFile>
29-
</file>
3025
<file src="lib/private/AppFramework/Utility/SimpleContainer.php">
3126
<TaintedCallable>
3227
<code><![CDATA[$name]]></code>

build/psalm-baseline.xml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2750,10 +2750,6 @@
27502750
<NullArgument>
27512751
<code><![CDATA[null]]></code>
27522752
</NullArgument>
2753-
<TypeDoesNotContainNull>
2754-
<code><![CDATA[$appId === null]]></code>
2755-
<code><![CDATA[$appId === null]]></code>
2756-
</TypeDoesNotContainNull>
27572753
</file>
27582754
<file src="lib/private/legacy/OC_Helper.php">
27592755
<InvalidArrayOffset>

lib/private/App/AppManager.php

Lines changed: 25 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -744,30 +744,39 @@ public function getAppsNeedingUpgrade($version) {
744744
*/
745745
public function getAppInfo(string $appId, bool $path = false, $lang = null) {
746746
if ($path) {
747-
$file = $appId;
748-
} else {
749-
if ($lang === null && isset($this->appInfos[$appId])) {
750-
return $this->appInfos[$appId];
751-
}
752-
try {
753-
$appPath = $this->getAppPath($appId);
754-
} catch (AppPathNotFoundException $e) {
755-
return null;
756-
}
757-
$file = $appPath . '/appinfo/info.xml';
747+
throw new \InvalidArgumentException('Calling IAppManager::getAppInfo() with a path is no longer supported. Please call IAppManager::getAppInfoByPath() instead and verify that the path is good before calling.');
748+
}
749+
if ($lang === null && isset($this->appInfos[$appId])) {
750+
return $this->appInfos[$appId];
751+
}
752+
try {
753+
$appPath = $this->getAppPath($appId);
754+
} catch (AppPathNotFoundException) {
755+
return null;
756+
}
757+
$file = $appPath . '/appinfo/info.xml';
758+
759+
$data = $this->getAppInfoByPath($file, $lang);
760+
761+
if ($lang === null) {
762+
$this->appInfos[$appId] = $data;
763+
}
764+
765+
return $data;
766+
}
767+
768+
public function getAppInfoByPath(string $path, ?string $lang = null): ?array {
769+
if (!str_ends_with($path, '/appinfo/info.xml')) {
770+
return null;
758771
}
759772

760773
$parser = new InfoParser($this->memCacheFactory->createLocal('core.appinfo'));
761-
$data = $parser->parse($file);
774+
$data = $parser->parse($path);
762775

763776
if (is_array($data)) {
764777
$data = \OC_App::parseAppInfo($data, $lang);
765778
}
766779

767-
if ($lang === null) {
768-
$this->appInfos[$appId] = $data;
769-
}
770-
771780
return $data;
772781
}
773782

lib/private/Installer.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ public function installApp(string $appId, bool $forceEnable = false): string {
6565
}
6666

6767
$l = \OCP\Util::getL10N('core');
68-
$info = \OCP\Server::get(IAppManager::class)->getAppInfo($basedir . '/appinfo/info.xml', true, $l->getLanguageCode());
68+
$info = \OCP\Server::get(IAppManager::class)->getAppInfoByPath($basedir . '/appinfo/info.xml', $l->getLanguageCode());
6969

7070
if (!is_array($info)) {
7171
throw new \Exception(

lib/private/legacy/OC_App.php

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -313,7 +313,8 @@ public static function findAppInDirectories(string $appId, bool $ignoreCache = f
313313
* @deprecated 11.0.0 use \OCP\Server::get(IAppManager)->getAppPath()
314314
*/
315315
public static function getAppPath(string $appId, bool $refreshAppPath = false) {
316-
if ($appId === null || trim($appId) === '') {
316+
$appId = self::cleanAppId($appId);
317+
if ($appId === '') {
317318
return false;
318319
}
319320

@@ -346,7 +347,7 @@ public static function getAppWebPath(string $appId) {
346347
*/
347348
public static function getAppVersionByPath(string $path): string {
348349
$infoFile = $path . '/appinfo/info.xml';
349-
$appData = \OC::$server->getAppManager()->getAppInfo($infoFile, true);
350+
$appData = \OCP\Server::get(IAppManager::class)->getAppInfoByPath($infoFile);
350351
return $appData['version'] ?? '';
351352
}
352353

lib/public/App/IAppManager.php

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,14 +25,22 @@ interface IAppManager {
2525
public const BACKEND_CALDAV = 'caldav';
2626

2727
/**
28-
* Returns the app information from "appinfo/info.xml".
28+
* Returns the app information from "appinfo/info.xml" for an app
2929
*
3030
* @param string|null $lang
3131
* @return array|null
3232
* @since 14.0.0
33+
* @since 31.0.0 Usage of $path is discontinued and throws an \InvalidArgumentException, use {@see self::getAppInfoByPath} instead.
3334
*/
3435
public function getAppInfo(string $appId, bool $path = false, $lang = null);
3536

37+
/**
38+
* Returns the app information from a given path ending with "/appinfo/info.xml"
39+
*
40+
* @since 31.0.0
41+
*/
42+
public function getAppInfoByPath(string $path, ?string $lang = null): ?array;
43+
3644
/**
3745
* Returns the app information from "appinfo/info.xml".
3846
*

0 commit comments

Comments
 (0)