Prevent .part upload via dav

[IljaN]

Description

Prevent creating, moving, copying to paths with extension .part

Related Issue

#7496

How Has This Been Tested?

Manually, Integration-Tests

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[mmattel]

@IljaN
one question, what would happen if somone creates a folder called .part ?

[IljaN]

@mmattel Good catch! It is not possible via webdav: mkcol .part Fails with 405 Method not allowed, not sure if it is the correct code tough.

If you create the directory directly in your storage with mkdir .part it is ignored by owncloud since we don`t support dotfiles afaik

[PVince81]

@IljaN we should also block "$name.part" folders. Ignoring is not good. If you had the impression that OC ignores it, did you check the FS ? Maybe it created the folder still but it wasn't visible in the UI ?

Better block those as well.

[mmattel]

@IljaN maybe you could use from #19235
lib/private/Files/Filesystem.php function isForbiddenFileOrDir and add .part into the query array

[IljaN]

@PVince81 .part directory creation is already prevented by this change:

dav:/remote.php/dav/files/admin/> mkcol path.with.ext.part
Creating `path.with.ext.part': failed:
400 Bad Request

@mmattel I extended verfiyPath method with a extension check, this seems to catch all cases with the benefit that it is used in all codepaths (Single point of truth), what benefits does extending isForbiddenFileOr dir give us?

[PVince81]

@IljaN prove it with an integration test 😉

Is 400 bad request the correct code, same as for files ? Just asking, I thought we returned 403 for those but don't remember exactly.

[mmattel]

@IljaN nothing special, just remembered that we excluded stuff some time ago and thought it is maybe usable for your PR, never mind

[PVince81]

rebase conflicts

[IljaN]

@PVince81 let me fix them, I am also in the process adding a missing test

[IljaN]

@PVince81 Ready

[PVince81]

did we talk about https://github.com/owncloud/core/pull/27149/files#diff-6cc3350c00dd13da023086587cce8bfdR64 ?

[IljaN]

Ready for next review round

[mmattel]

wouldnt it be good to get the filename/component in question from the constant instead of hardcoding it?

[PVince81]

@IljaN see above comment

Also we cannot use the name "ownCloud" in error messages due to theming, please remove it

[IljaN]

Not sure if I understand I am getting it from FileInfo::BLACKLIST_FILES_REGEX

[mmattel]

To be precise, it is not the query but the text.

Here you state hardcoded .part
But the regex says const BLACKLIST_FILES_REGEX = '\.(part|filepart)$';
One name is missing.
What happens when the regex is extended with more names?
Extract the names and print them to be futureproof.

[IljaN]

Ready for next round of review

[PVince81]

👍 looks good to me, thanks a lot!

[PVince81]

@IljaN please backport to stable10

[PVince81]

stable10: #29432

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.