From d68f700e6e420f901af88a05c876df7f55aeef02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Mon, 26 Aug 2024 15:58:06 +0200 Subject: [PATCH] fix: Apply checks on shares in the middleware MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl Signed-off-by: Max --- lib/Service/AttachmentService.php | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/lib/Service/AttachmentService.php b/lib/Service/AttachmentService.php index 5561fd4bae0..ad74f9d80b5 100644 --- a/lib/Service/AttachmentService.php +++ b/lib/Service/AttachmentService.php @@ -39,6 +39,7 @@ use OCP\Files\NotPermittedException; use OCP\Files\SimpleFS\ISimpleFile; use OCP\IPreview; +use OCP\ISession; use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IShare; use OCP\Util; @@ -59,6 +60,10 @@ class AttachmentService { * @var IPreview */ private $previewManager; + /** + * @var ISession + */ + private $session; /** * @var IMimeTypeDetector */ @@ -67,10 +72,12 @@ class AttachmentService { public function __construct(IRootFolder $rootFolder, ShareManager $shareManager, IPreview $previewManager, + ISession $session, IMimeTypeDetector $mimeTypeDetector) { $this->rootFolder = $rootFolder; $this->shareManager = $shareManager; $this->previewManager = $previewManager; + $this->session = $session; $this->mimeTypeDetector = $mimeTypeDetector; } @@ -545,6 +552,27 @@ private function getTextFilePublic(?int $documentId, string $shareToken): File { try { $share = $this->shareManager->getShareByToken($shareToken); if ($share->getShareType() === IShare::TYPE_LINK) { + + // check for password if required + /** @psalm-suppress RedundantConditionGivenDocblockType */ + if ($share->getPassword() !== null) { + $shareId = $this->session->get('public_link_authenticated'); + if ($share->getId() !== $shareId) { + throw new ShareNotFound(); + } + } + + // check read permission + if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) { + throw new ShareNotFound(); + } + + // check download permission + $attributes = $share->getAttributes(); + if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) { + throw new ShareNotFound(); + } + // shared file or folder? if ($share->getNodeType() === 'file') { $textFile = $share->getNode();