mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1224 from nextcloud/do-not-allow-linebreak-in-paths 

Do not allow linebreaks and null bytes in paths
This commit is contained in:
Roeland Jago Douma 2016-09-01 14:06:40 +02:00 committed by GitHub
parent d3f82356bb 6c81c65eea
commit 8325c4443b
3 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -107,6 +107,7 @@ nbproject
/build/lib/ /build/lib/
/build/jsdocs/ /build/jsdocs/
/npm-debug.log /npm-debug.log
/PhantomJS_*
# puphpet # puphpet
puphpet puphpet

8
apps/files/js/filelist.js
View File

@ -1407,6 +1407,10 @@
return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/'); return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/');
}, },
/**
* @param {string} path
* @returns {boolean}
*/
_isValidPath: function(path) { _isValidPath: function(path) {
var sections = path.split('/'); var sections = path.split('/');
for (var i = 0; i < sections.length; i++) { for (var i = 0; i < sections.length; i++) {
@ -1414,7 +1418,9 @@
return false; return false;
} }
} }
return true;
return path.toLowerCase().indexOf(decodeURI('%0a')) === -1 &&
path.toLowerCase().indexOf(decodeURI('%00')) === -1;
}, },
/** /**

4
apps/files/tests/js/filelistSpec.js
View File

@ -1401,9 +1401,11 @@ describe('OCA.Files.FileList tests', function() {
'/abc/..', '/abc/..',
'/abc/../', '/abc/../',
'/../abc/', '/../abc/',
'/foo%0Abar/',
'/foo%00bar/',
'/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../' '/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../'
], function(path) { ], function(path) {
fileList.changeDirectory(path); fileList.changeDirectory(decodeURI(path));
expect(fileList.getCurrentDirectory()).toEqual('/'); expect(fileList.getCurrentDirectory()).toEqual('/');
}); });
}); });