Merge pull request #1224 from nextcloud/do-not-allow-linebreak-in-paths
Do not allow linebreaks and null bytes in paths
This commit is contained in:
commit
8325c4443b
|
@ -107,6 +107,7 @@ nbproject
|
||||||
/build/lib/
|
/build/lib/
|
||||||
/build/jsdocs/
|
/build/jsdocs/
|
||||||
/npm-debug.log
|
/npm-debug.log
|
||||||
|
/PhantomJS_*
|
||||||
|
|
||||||
# puphpet
|
# puphpet
|
||||||
puphpet
|
puphpet
|
||||||
|
|
|
@ -1407,6 +1407,10 @@
|
||||||
return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/');
|
return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/');
|
||||||
},
|
},
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param {string} path
|
||||||
|
* @returns {boolean}
|
||||||
|
*/
|
||||||
_isValidPath: function(path) {
|
_isValidPath: function(path) {
|
||||||
var sections = path.split('/');
|
var sections = path.split('/');
|
||||||
for (var i = 0; i < sections.length; i++) {
|
for (var i = 0; i < sections.length; i++) {
|
||||||
|
@ -1414,7 +1418,9 @@
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return true;
|
|
||||||
|
return path.toLowerCase().indexOf(decodeURI('%0a')) === -1 &&
|
||||||
|
path.toLowerCase().indexOf(decodeURI('%00')) === -1;
|
||||||
},
|
},
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -1401,9 +1401,11 @@ describe('OCA.Files.FileList tests', function() {
|
||||||
'/abc/..',
|
'/abc/..',
|
||||||
'/abc/../',
|
'/abc/../',
|
||||||
'/../abc/',
|
'/../abc/',
|
||||||
|
'/foo%0Abar/',
|
||||||
|
'/foo%00bar/',
|
||||||
'/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../'
|
'/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../'
|
||||||
], function(path) {
|
], function(path) {
|
||||||
fileList.changeDirectory(path);
|
fileList.changeDirectory(decodeURI(path));
|
||||||
expect(fileList.getCurrentDirectory()).toEqual('/');
|
expect(fileList.getCurrentDirectory()).toEqual('/');
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in New Issue