diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js index 690e5e70fd..7a7d26eed7 100644 --- a/apps/files/js/filelist.js +++ b/apps/files/js/filelist.js @@ -1397,6 +1397,16 @@ return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/'); }, + _isValidPath: function(path) { + var sections = path.split('/'); + for (var i = 0; i < sections.length; i++) { + if (sections[i] === '..') { + return false; + } + } + return true; + }, + /** * Sets the current directory name and updates the breadcrumb. * @param targetDir directory to display @@ -1405,6 +1415,10 @@ */ _setCurrentDir: function(targetDir, changeUrl, fileId) { targetDir = targetDir.replace(/\\/g, '/'); + if (!this._isValidPath(targetDir)) { + targetDir = '/'; + changeUrl = true; + } var previousDir = this.getCurrentDirectory(), baseDir = OC.basename(targetDir); diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js index a74e1c7328..d8d3057ec3 100644 --- a/apps/files/tests/js/filelistSpec.js +++ b/apps/files/tests/js/filelistSpec.js @@ -1334,6 +1334,31 @@ describe('OCA.Files.FileList tests', function() { fileList.changeDirectory('/another\\subdir'); expect(fileList.getCurrentDirectory()).toEqual('/another/subdir'); }); + it('switches to root dir when current directory is invalid', function() { + _.each([ + '..', + '/..', + '../', + '/../', + '/../abc', + '/abc/..', + '/abc/../', + '/../abc/' + ], function(path) { + fileList.changeDirectory(path); + expect(fileList.getCurrentDirectory()).toEqual('/'); + }); + }); + it('allows paths with dotdot at the beginning or end', function() { + _.each([ + '..abc', + 'def..', + '...' + ], function(path) { + fileList.changeDirectory(path); + expect(fileList.getCurrentDirectory()).toEqual(path); + }); + }); it('switches to root dir when current directory does not exist', function() { fileList.changeDirectory('/unexist'); deferredList.reject(404);