From 5b65591d84a0dafb9415539eef75424004f6a4f6 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Fri, 1 Jul 2016 13:33:00 +0200
Subject: [PATCH 1/3] Do not allow directory traversal using "../"

We should not allow directory traversals using "../" here.

To test access the following URL once with and then without this patch:

http://localhost/server/index.php/apps/files/?dir=../../This+Should+Not+Be+Here
---
 apps/files/js/filelist.js           | 2 +-
 apps/files/tests/js/filelistSpec.js | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index e483882fcc..1f19c2a625 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1404,7 +1404,7 @@
 		 * @param {string} [fileId] file id
 		 */
 		_setCurrentDir: function(targetDir, changeUrl, fileId) {
-			targetDir = targetDir.replace(/\\/g, '/');
+			targetDir = targetDir.replace(/\\/g, '/').replace(/\.\.\//g, '');
 			var previousDir = this.getCurrentDirectory(),
 				baseDir = OC.basename(targetDir);
 
diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js
index ae4b75f777..baf071af9b 100644
--- a/apps/files/tests/js/filelistSpec.js
+++ b/apps/files/tests/js/filelistSpec.js
@@ -1334,6 +1334,10 @@ describe('OCA.Files.FileList tests', function() {
 			fileList.changeDirectory('/another\\subdir');
 			expect(fileList.getCurrentDirectory()).toEqual('/another/subdir');
 		});
+		it('converts backslashes to slashes and removes traversals when calling changeDirectory()', function() {
+			fileList.changeDirectory('/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../');
+			expect(fileList.getCurrentDirectory()).toEqual('/another/subdir/foo/bar/file/folder/');
+		});
 		it('switches to root dir when current directory does not exist', function() {
 			fileList.changeDirectory('/unexist');
 			deferredList.reject(404);

From 4ac9eaab0379cc0535a6ab18be0fa147facf1bd5 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Fri, 1 Jul 2016 15:00:31 +0200
Subject: [PATCH 2/3] Match for /../

---
 apps/files/js/filelist.js           | 2 +-
 apps/files/tests/js/filelistSpec.js | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 1f19c2a625..506d423c81 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1404,7 +1404,7 @@
 		 * @param {string} [fileId] file id
 		 */
 		_setCurrentDir: function(targetDir, changeUrl, fileId) {
-			targetDir = targetDir.replace(/\\/g, '/').replace(/\.\.\//g, '');
+			targetDir = targetDir.replace(/\\/g, '/').replace(/\/\.\.\//g, '/');
 			var previousDir = this.getCurrentDirectory(),
 				baseDir = OC.basename(targetDir);
 
diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js
index baf071af9b..a9b6a1ac1c 100644
--- a/apps/files/tests/js/filelistSpec.js
+++ b/apps/files/tests/js/filelistSpec.js
@@ -1338,6 +1338,10 @@ describe('OCA.Files.FileList tests', function() {
 			fileList.changeDirectory('/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../');
 			expect(fileList.getCurrentDirectory()).toEqual('/another/subdir/foo/bar/file/folder/');
 		});
+		it('does not convert folders with a ".." in the name', function() {
+			fileList.changeDirectory('/abc../def');
+			expect(fileList.getCurrentDirectory()).toEqual('/abc../def');
+		});
 		it('switches to root dir when current directory does not exist', function() {
 			fileList.changeDirectory('/unexist');
 			deferredList.reject(404);

From 76c73d5ec32828d9b5d546aefd489b8080b8bad5 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Fri, 1 Jul 2016 15:19:08 +0200
Subject: [PATCH 3/3] Match on 405

---
 apps/files/js/filelist.js           | 2 +-
 apps/files/tests/js/filelistSpec.js | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 506d423c81..0813d2cc30 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1552,7 +1552,7 @@
 				return false;
 			}
 
-			if (status === 404) {
+			if (status === 404 || status === 405) {
 				// go back home
 				this.changeDirectory('/');
 				return false;
diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js
index a9b6a1ac1c..453f1cafca 100644
--- a/apps/files/tests/js/filelistSpec.js
+++ b/apps/files/tests/js/filelistSpec.js
@@ -1347,6 +1347,11 @@ describe('OCA.Files.FileList tests', function() {
 			deferredList.reject(404);
 			expect(fileList.getCurrentDirectory()).toEqual('/');
 		});
+		it('switches to root dir when current directory returns 405', function() {
+			fileList.changeDirectory('/unexist');
+			deferredList.reject(405);
+			expect(fileList.getCurrentDirectory()).toEqual('/');
+		});
 		it('switches to root dir when current directory is forbidden', function() {
 			fileList.changeDirectory('/unexist');
 			deferredList.reject(403);