Skip to content

Added check for mtime to be integer #27615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
virajparimi wants to merge 2 commits into from
Closed

Added check for mtime to be integer #27615

virajparimi wants to merge 2 commits into from

Conversation

@virajparimi
Copy link
Contributor

@virajparimi virajparimi commented Apr 10, 2017

Description

Added check in File.php of dav app in order to ensure that $request->server['HTTP_X_OC_MTIME'] is an integer. If it is not then throws a BadRequest exception.

Related Issue

#27437

Motivation and Context

How Has This Been Tested?

Have not tested it thoroughly.
Chrome and Ubuntu 14.04

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

PVince81
PVince81 reviewed Apr 11, 2017
View reviewed changes
apps/dav/lib/Connector/Sabre/File.php Outdated
}
}
else {
throw new BadRequest('expected mtime to be integer');
Copy link
Contributor

@PVince81 PVince81 Apr 11, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

=> "X-OC-MTime header must be an integer" would be a bit clearer

@PVince81
Copy link
Contributor

PVince81 commented Apr 11, 2017

Code looks good otherwise, thanks !

@virajparimi
Copy link
Contributor Author

virajparimi commented Apr 11, 2017

@PVince81 done

@PVince81
Copy link
Contributor

PVince81 commented Apr 12, 2017

Please test with the desktop client, apparently the value is not recognized as int by is_int, you might need to use another approach to detect this.

``'
// => eval: $request->server['HTTP_X_OC_MTIME']
$evalResult = (string[10]) '1491982450';

// => eval: is_int($request->server['HTTP_X_OC_MTIME'])
$evalResult = (bool) '0';

@virajparimi
Copy link
Contributor Author

virajparimi commented Apr 12, 2017

Ahh, so the $request->server['HTTP_X_OC_MTIME'] is a string and not an integer. Okay, one possible solution is to use strpos to get the position of . if any, otherwise it would return false and then everything else remains same. What do you think?

@PVince81
Copy link
Contributor

PVince81 commented Apr 12, 2017

strpos is not acceptable because it wouldn't catch other cases where someone sends an invalid value (for example if someone is crazy enough to send a ISO formatted date instead of an int)

individual-it added a commit that referenced this pull request Apr 12, 2017
@individual-it
test for PR #27615
2f3be2b
@individual-it individual-it mentioned this pull request Apr 12, 2017
Closed
@individual-it
Copy link
Member

individual-it commented Apr 12, 2017

the is_int approach has also the problem that negative values would be accepted
I've changed the File.php so that put() should be easier testable and added some tests.
@Viraj96 I've made a PR to your fork virajparimi#1
You can think of more tests

@PVince81
Copy link
Contributor

PVince81 commented May 4, 2017

any update ?

@virajparimi
Copy link
Contributor Author

virajparimi commented May 4, 2017

@PVince81 Hi, I have been busy with my End Semester Exams. Will work on it once they get over by this weekend. Sorry for the delay caused.

@DeepDiver1975 DeepDiver1975 added this to the 10.1 milestone May 12, 2017
@mrow4a
Copy link
Contributor

mrow4a commented May 24, 2017

Any update here, or can I review?

@phil-davis phil-davis mentioned this pull request May 31, 2017
Closed
@individual-it individual-it mentioned this pull request Jun 2, 2017
Merged
9 tasks
@individual-it
Copy link
Member

individual-it commented Jun 8, 2017

here is an alternative approach #28066 don't throw any errors but simply make sure the value is legal

@mrow4a
Copy link
Contributor

mrow4a commented Jun 27, 2017
edited
Loading

This one can be closed since the other approach has been merged right? @PVince81

@PVince81 PVince81 closed this Jun 27, 2017
@DeepDiver1975 DeepDiver1975 modified the milestones: 10.1, development Oct 10, 2017
@lock
Copy link

lock bot commented Aug 2, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Aug 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@PVince81 PVince81 PVince81 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

2 - Developing

Projects

None yet

Milestone

10.0.5

Development

Successfully merging this pull request may close these issues.

5 participants

@virajparimi @PVince81 @individual-it @mrow4a @DeepDiver1975