mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Do not allow directory traversal using "../" 

We should not allow directory traversals using "../" here.

To test access the following URL once with and then without this patch:

http://localhost/server/index.php/apps/files/?dir=../../This+Should+Not+Be+Here
This commit is contained in:
Lukas Reschke 2016-07-01 13:33:00 +02:00
parent 8e002b6155
commit 5b65591d84
2 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/files/js/filelist.js
View File

@ -1404,7 +1404,7 @@
* @param {string} [fileId] file id
*/
_setCurrentDir: function(targetDir, changeUrl, fileId) {
targetDir = targetDir.replace(/\\/g, '/');
targetDir = targetDir.replace(/\\/g, '/').replace(/\.\.\//g, '');
var previousDir = this.getCurrentDirectory(),
baseDir = OC.basename(targetDir);

4
apps/files/tests/js/filelistSpec.js
View File

@ -1334,6 +1334,10 @@ describe('OCA.Files.FileList tests', function() {
fileList.changeDirectory('/another\\subdir');
expect(fileList.getCurrentDirectory()).toEqual('/another/subdir');
});
it('converts backslashes to slashes and removes traversals when calling changeDirectory()', function() {
fileList.changeDirectory('/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../');
expect(fileList.getCurrentDirectory()).toEqual('/another/subdir/foo/bar/file/folder/');
});
it('switches to root dir when current directory does not exist', function() {
fileList.changeDirectory('/unexist');
deferredList.reject(404);