This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * @copyright Copyright (c) 2018, Roeland Jago Douma <[email protected]> |
||
4 | * |
||
5 | * @author Roeland Jago Douma <[email protected]> |
||
6 | * |
||
7 | * @license GNU AGPL version 3 or any later version |
||
8 | * |
||
9 | * This program is free software: you can redistribute it and/or modify |
||
10 | * it under the terms of the GNU Affero General Public License as |
||
11 | * published by the Free Software Foundation, either version 3 of the |
||
12 | * License, or (at your option) any later version. |
||
13 | * |
||
14 | * This program is distributed in the hope that it will be useful, |
||
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
17 | * GNU Affero General Public License for more details. |
||
18 | * |
||
19 | * You should have received a copy of the GNU Affero General Public License |
||
20 | * along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
21 | * |
||
22 | */ |
||
23 | namespace OCA\Richdocuments\Controller; |
||
24 | |||
25 | use OCA\Richdocuments\AppConfig; |
||
26 | use OCA\Richdocuments\Db\DirectMapper; |
||
27 | use OCA\Richdocuments\Service\FederationService; |
||
28 | use OCA\Richdocuments\TemplateManager; |
||
29 | use OCA\Richdocuments\TokenManager; |
||
30 | use OCP\AppFramework\Controller; |
||
31 | use OCP\AppFramework\Db\DoesNotExistException; |
||
32 | use OCP\AppFramework\Http; |
||
33 | use OCP\AppFramework\Http\ContentSecurityPolicy; |
||
34 | use OCP\AppFramework\Http\JSONResponse; |
||
35 | use OCP\AppFramework\Http\RedirectResponse; |
||
36 | use OCP\AppFramework\Http\TemplateResponse; |
||
37 | use OCP\Files\IRootFolder; |
||
38 | use OCP\Files\Node; |
||
39 | use OCP\Files\NotFoundException; |
||
40 | use OCP\IConfig; |
||
41 | use OCP\IRequest; |
||
42 | |||
43 | class DirectViewController extends Controller { |
||
44 | /** @var IRootFolder */ |
||
45 | private $rootFolder; |
||
46 | |||
47 | /** @var TokenManager */ |
||
48 | private $tokenManager; |
||
49 | |||
50 | /** @var DirectMapper */ |
||
51 | private $directMapper; |
||
52 | |||
53 | /** @var IConfig */ |
||
54 | private $config; |
||
55 | |||
56 | /** @var AppConfig */ |
||
57 | private $appConfig; |
||
58 | |||
59 | /** @var TemplateManager */ |
||
60 | private $templateManager; |
||
61 | |||
62 | /** @var FederationService */ |
||
63 | private $federationService; |
||
64 | |||
65 | View Code Duplication | public function __construct( |
|
66 | $appName, |
||
67 | IRequest $request, |
||
68 | IRootFolder $rootFolder, |
||
69 | TokenManager $tokenManager, |
||
70 | DirectMapper $directMapper, |
||
71 | IConfig $config, |
||
72 | AppConfig $appConfig, |
||
73 | TemplateManager $templateManager, |
||
74 | FederationService $federationService |
||
75 | ) { |
||
76 | parent::__construct($appName, $request); |
||
77 | |||
78 | $this->rootFolder = $rootFolder; |
||
79 | $this->tokenManager = $tokenManager; |
||
80 | $this->directMapper = $directMapper; |
||
81 | $this->config = $config; |
||
82 | $this->appConfig = $appConfig; |
||
83 | $this->templateManager = $templateManager; |
||
84 | $this->federationService = $federationService; |
||
85 | } |
||
86 | |||
87 | /** |
||
88 | * @NoAdminRequired |
||
89 | * @NoCSRFRequired |
||
90 | * @PublicPage |
||
91 | * |
||
92 | * @param string $token |
||
93 | * @return JSONResponse|RedirectResponse|TemplateResponse |
||
94 | * @throws NotFoundException |
||
95 | */ |
||
96 | public function show($token) { |
||
97 | try { |
||
98 | $direct = $this->directMapper->getByToken($token); |
||
99 | } catch (DoesNotExistException $e) { |
||
100 | $params = [ |
||
101 | 'errors' => [['error' => $e->getMessage()]] |
||
102 | ]; |
||
103 | return new TemplateResponse('core', 'error', $params, 'guest'); |
||
104 | } |
||
105 | |||
106 | // Delete the token. They are for 1 time use only |
||
107 | $this->directMapper->delete($direct); |
||
0 ignored issues
–
show
|
|||
108 | |||
109 | $folder = $this->rootFolder->getUserFolder($direct->getUid()); |
||
110 | if ($this->templateManager->isTemplate($direct->getFileid())) { |
||
111 | $item = $this->templateManager->get($direct->getFileid()); |
||
112 | if ($direct->getTemplateDestination() === 0 || $direct->getTemplateDestination() === null) { |
||
113 | return new JSONResponse([], Http::STATUS_BAD_REQUEST); |
||
114 | } |
||
115 | |||
116 | try { |
||
117 | |||
118 | list($urlSrc, $wopi) = $this->tokenManager->getTokenForTemplate($item, $direct->getUid(), $direct->getTemplateDestination(), true); |
||
119 | } catch (\Exception $e) { |
||
120 | return new JSONResponse([], Http::STATUS_BAD_REQUEST); |
||
121 | } |
||
122 | |||
123 | $relativePath = '/new.odt'; |
||
124 | |||
125 | } else { |
||
126 | try { |
||
127 | $item = $folder->getById($direct->getFileid())[0]; |
||
128 | if(!($item instanceof Node)) { |
||
129 | throw new \Exception(); |
||
130 | } |
||
131 | |||
132 | /** Open file from remote collabora */ |
||
133 | $federatedUrl = $this->federationService->getRemoteRedirectURL($item, $direct); |
||
134 | View Code Duplication | if ($federatedUrl !== null) { |
|
135 | $response = new RedirectResponse($federatedUrl); |
||
136 | $response->addHeader('X-Frame-Options', 'ALLOW'); |
||
137 | return $response; |
||
138 | } |
||
139 | |||
140 | list($urlSrc, $token, $wopi) = $this->tokenManager->getToken($item->getId(), null, $direct->getUid(), true); |
||
141 | } catch (\Exception $e) { |
||
142 | $params = [ |
||
143 | 'errors' => [['error' => $e->getMessage()]] |
||
144 | ]; |
||
145 | return new TemplateResponse('core', 'error', $params, 'guest'); |
||
146 | } |
||
147 | |||
148 | $relativePath = $folder->getRelativePath($item->getPath()); |
||
149 | } |
||
150 | |||
151 | try { |
||
152 | $params = [ |
||
153 | 'permissions' => $item->getPermissions(), |
||
154 | 'title' => $item->getName(), |
||
155 | 'fileId' => $wopi->getFileid() . '_' . $this->config->getSystemValue('instanceid'), |
||
156 | 'token' => $wopi->getToken(), |
||
157 | 'urlsrc' => $urlSrc, |
||
158 | 'path' => $relativePath, |
||
159 | 'instanceId' => $this->config->getSystemValue('instanceid'), |
||
160 | 'canonical_webroot' => $this->appConfig->getAppValue('canonical_webroot'), |
||
161 | 'direct' => true, |
||
162 | ]; |
||
163 | |||
164 | $response = new TemplateResponse('richdocuments', 'documents', $params, 'base'); |
||
165 | $policy = new ContentSecurityPolicy(); |
||
166 | $policy->allowInlineScript(true); |
||
0 ignored issues
–
show
The method
OCP\AppFramework\Http\Em...cy::allowInlineScript() has been deprecated with message: 10.0 CSP tokens are now used
This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead.
Loading history...
|
|||
167 | $policy->addAllowedFrameDomain($this->appConfig->getAppValue('public_wopi_url')); |
||
168 | $response->setContentSecurityPolicy($policy); |
||
169 | return $response; |
||
170 | } catch (\Exception $e) { |
||
171 | $params = [ |
||
172 | 'errors' => [['error' => $e->getMessage()]] |
||
173 | ]; |
||
174 | return new TemplateResponse('core', 'error', $params, 'guest'); |
||
175 | } |
||
176 | |||
177 | } |
||
178 | } |
||
179 |
This method has been deprecated. The supplier of the class has supplied an explanatory message.
The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead.