Skip to content

Commit 23f33a4

Browse files
elzodyelzody
authored
Merge pull request #4143 from nextcloud/fix/check-new-file-share-28
[stable28] Add brute force protection for public file creation
2 parents 7fa5750 + b3610b6 commit 23f33a4

File tree

1 file changed

+17
-1
lines changed

1 file changed

+17
-1
lines changed

lib/Controller/DocumentAPIController.php

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@
4040
use OCP\Files\Lock\NoLockProviderException;
4141
use OCP\IL10N;
4242
use OCP\IRequest;
43+
use OCP\ISession;
4344
use OCP\PreConditionNotMetException;
4445
use OCP\Share\IManager;
4546
use Psr\Log\LoggerInterface;
@@ -52,16 +53,18 @@ class DocumentAPIController extends \OCP\AppFramework\OCSController {
5253
private $l10n;
5354
private $logger;
5455
private $lockManager;
56+
private $session;
5557
private $userId;
5658

57-
public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $shareManager, TemplateManager $templateManager, IL10N $l10n, LoggerInterface $logger, ILockManager $lockManager, $userId) {
59+
public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $shareManager, TemplateManager $templateManager, IL10N $l10n, LoggerInterface $logger, ILockManager $lockManager, ISession $session, $userId) {
5860
parent::__construct(Application::APPNAME, $request);
5961
$this->rootFolder = $rootFolder;
6062
$this->shareManager = $shareManager;
6163
$this->templateManager = $templateManager;
6264
$this->l10n = $l10n;
6365
$this->logger = $logger;
6466
$this->lockManager = $lockManager;
67+
$this->session = $session;
6568
$this->userId = $userId;
6669
}
6770

@@ -74,11 +77,24 @@ public function __construct(IRequest $request, IRootFolder $rootFolder, IManager
7477
*
7578
* @NoAdminRequired
7679
* @PublicPage
80+
* @BruteForceProtection(action=richdocumentsCreatePublic)
7781
*/
7882
public function create(string $mimeType, string $fileName, string $directoryPath = '/', string $shareToken = null, ?int $templateId = null): JSONResponse {
7983
try {
8084
if ($shareToken !== null) {
8185
$share = $this->shareManager->getShareByToken($shareToken);
86+
87+
if ($share->getPassword()) {
88+
if (!$this->session->exists('public_link_authenticated')
89+
|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
90+
) {
91+
throw new Exception('Invalid password');
92+
}
93+
}
94+
95+
if (!($share->getPermissions() & \OCP\Constants::PERMISSION_CREATE)) {
96+
throw new Exception('No create permissions');
97+
}
8298
}
8399

84100
$rootFolder = $shareToken !== null ? $share->getNode() : $this->rootFolder->getUserFolder($this->userId);

0 commit comments

Comments
 (0)