From 4d1ff01654027286d383c1f80e2372ca19e09478 Mon Sep 17 00:00:00 2001 From: Kevin Ottens Date: Mon, 18 May 2020 19:22:41 +0200 Subject: [PATCH] Properly handle denormalized href In case of denormalized paths in the dav href (presence of . or .. in the path) simple string startsWith comparison wasn't enough to know if said href ended up in the right namespace. That's why we're now using QUrl (pretending local file since we don't have a full URL in the href) to normalize the path before comparison. This could happen with broken proxies for instance where we would wrongly validate the dav information resulting in potentially surprising syncing and name collisions. Signed-off-by: Kevin Ottens --- src/libsync/networkjobs.cpp | 4 +- test/testxmlparse.cpp | 140 ++++++++++++++++++++++++++++++++++++ 2 files changed, 143 insertions(+), 1 deletion(-) diff --git a/src/libsync/networkjobs.cpp b/src/libsync/networkjobs.cpp index 885a89618..20e00f1a9 100644 --- a/src/libsync/networkjobs.cpp +++ b/src/libsync/networkjobs.cpp @@ -209,7 +209,9 @@ bool LsColXMLParser::parse(const QByteArray &xml, QHash" + "" + "/oc/remote.php/webdav/sharefolder/" + "" + "" + "00004213ocobzus5kn6s" + "RDNVCK" + "121780" + "\"5527beb0400b0\"" + "" + "" + "" + "Fri, 06 Feb 2015 13:49:55 GMT" + "" + "HTTP/1.1 200 OK" + "" + "" + "" + "" + "" + "" + "" + "HTTP/1.1 404 Not Found" + "" + "" + "" + "/oc/remote.php/webdav/sharefolder/../sharefolder/quitte.pdf" + "" + "" + "00004215ocobzus5kn6s" + "RDNVW" + "\"2fa2f0d9ed49ea0c3e409d49e652dea0\"" + "" + "Fri, 06 Feb 2015 13:49:55 GMT" + "121780" + "" + "HTTP/1.1 200 OK" + "" + "" + "" + "" + "" + "" + "HTTP/1.1 404 Not Found" + "" + "" + ""; + + + LsColXMLParser parser; + + connect( &parser, SIGNAL(directoryListingSubfolders(const QStringList&)), + this, SLOT(slotDirectoryListingSubFolders(const QStringList&)) ); + connect( &parser, SIGNAL(directoryListingIterated(const QString&, const QMap&)), + this, SLOT(slotDirectoryListingIterated(const QString&, const QMap&)) ); + connect( &parser, SIGNAL(finishedWithoutError()), + this, SLOT(slotFinishedSuccessfully()) ); + + QHash sizes; + QVERIFY(parser.parse( testXml, &sizes, "/oc/remote.php/webdav/sharefolder" )); + + QVERIFY(_success); + QCOMPARE(sizes.size(), 1 ); // Quota info in the XML + + QVERIFY(_items.contains("/oc/remote.php/webdav/sharefolder/quitte.pdf")); + QVERIFY(_items.contains("/oc/remote.php/webdav/sharefolder")); + QVERIFY(_items.size() == 2 ); + + QVERIFY(_subdirs.contains("/oc/remote.php/webdav/sharefolder/")); + QVERIFY(_subdirs.size() == 1); + } + + void testParserDenormalizedPathOutsideNamespace() { + const QByteArray testXml = "" + "" + "" + "/oc/remote.php/webdav/sharefolder/" + "" + "" + "00004213ocobzus5kn6s" + "RDNVCK" + "121780" + "\"5527beb0400b0\"" + "" + "" + "" + "Fri, 06 Feb 2015 13:49:55 GMT" + "" + "HTTP/1.1 200 OK" + "" + "" + "" + "" + "" + "" + "" + "HTTP/1.1 404 Not Found" + "" + "" + "" + "/oc/remote.php/webdav/sharefolder/../quitte.pdf" + "" + "" + "00004215ocobzus5kn6s" + "RDNVW" + "\"2fa2f0d9ed49ea0c3e409d49e652dea0\"" + "" + "Fri, 06 Feb 2015 13:49:55 GMT" + "121780" + "" + "HTTP/1.1 200 OK" + "" + "" + "" + "" + "" + "" + "HTTP/1.1 404 Not Found" + "" + "" + ""; + + + LsColXMLParser parser; + + connect( &parser, SIGNAL(directoryListingSubfolders(const QStringList&)), + this, SLOT(slotDirectoryListingSubFolders(const QStringList&)) ); + connect( &parser, SIGNAL(directoryListingIterated(const QString&, const QMap&)), + this, SLOT(slotDirectoryListingIterated(const QString&, const QMap&)) ); + connect( &parser, SIGNAL(finishedWithoutError()), + this, SLOT(slotFinishedSuccessfully()) ); + + QHash sizes; + QVERIFY(!parser.parse( testXml, &sizes, "/oc/remote.php/webdav/sharefolder" )); + + QVERIFY(!_success); + } + void testHrefUrlEncoding() { const QByteArray testXml = "" ""