Due to a common incorrect usage of the getPath
function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null
in case the specified file does not exist anymore. When passing the result of getPath
in combination with null
to functions that setup a virtual chroot or other security relevant limitations PHP would typecast the return value to an empty string and thus effectively bypassing the internal security functions of ownCloud.
getPath
with a return type of null
is a common occurrence in case a folder has been shared publicly and the parent item has been deleted later from the database. Due to missing foreign keys the share is still considered valid and will finally resolve to the users’ root directory.
In such cases an adversary with knowledge of the sharing link to a deleted item may be able to access all files of the user and not only the original shared directory.
All usages of the getPath
function has been revised and corrected.
Furthermore, ownCloud 8.2 will feature another security hardening where instead of returning null
for invalid files now an exception is thrown. In case of an exception ownCloud will stop the script execution and also static source code analysis will make developers aware of such situations.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: