Skip to content

Commit

Permalink
Merge pull request #4147 from nextcloud/fix/check-new-file-share-25
Browse files Browse the repository at this point in the history 
[stable25] Add brute force protection for public file creation
  • Loading branch information
@elzody
elzody authored Oct 18, 2024
2 parents 2585ad6 + cf08396 commit 0efdc07
Showing 1 changed file with 17 additions and 1 deletion.
18 changes: 17 additions & 1 deletion lib/Controller/DocumentAPIController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
use OCP\Files\IRootFolder;
use OCP\IL10N;
use OCP\IRequest;
use OCP\ISession;
use OCP\Share\IManager;
use Psr\Log\LoggerInterface;
use Throwable;
Expand All @@ -45,15 +46,17 @@ class DocumentAPIController extends \OCP\AppFramework\OCSController {
private $templateManager;
private $l10n;
private $logger;
private $session;
private $userId;

public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $shareManager, TemplateManager $templateManager, IL10N $l10n, LoggerInterface $logger, $userId) {
public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $shareManager, TemplateManager $templateManager, IL10N $l10n, LoggerInterface $logger, ISession $session, $userId) {
parent::__construct(Application::APPNAME, $request);
$this->rootFolder = $rootFolder;
$this->shareManager = $shareManager;
$this->templateManager = $templateManager;
$this->l10n = $l10n;
$this->logger = $logger;
$this->session = $session;
$this->userId = $userId;
}

Expand All @@ -66,11 +69,24 @@ public function __construct(IRequest $request, IRootFolder $rootFolder, IManager
*
* @NoAdminRequired
* @PublicPage
* @BruteForceProtection(action=richdocumentsCreatePublic)
*/
public function create(string $mimeType, string $fileName, string $directoryPath = '/', string $shareToken = null, ?int $templateId = null): JSONResponse {
try {
if ($shareToken !== null) {
$share = $this->shareManager->getShareByToken($shareToken);

if ($share->getPassword()) {
if (!$this->session->exists('public_link_authenticated')
|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
) {
throw new Exception('Invalid password');
}
}

if (!($share->getPermissions() & \OCP\Constants::PERMISSION_CREATE)) {
throw new Exception('No create permissions');
}
}

$rootFolder = $shareToken !== null ? $share->getNode() : $this->rootFolder->getUserFolder($this->userId);
Expand Down

0 comments on commit 0efdc07

Please sign in to comment.