Merge pull request #278 from nextcloud/master-traversal-directory-js
Do not allow directory traversal using "../"
This commit is contained in:
commit
c33b5046e0
|
@ -1404,7 +1404,7 @@
|
||||||
* @param {string} [fileId] file id
|
* @param {string} [fileId] file id
|
||||||
*/
|
*/
|
||||||
_setCurrentDir: function(targetDir, changeUrl, fileId) {
|
_setCurrentDir: function(targetDir, changeUrl, fileId) {
|
||||||
targetDir = targetDir.replace(/\\/g, '/');
|
targetDir = targetDir.replace(/\\/g, '/').replace(/\/\.\.\//g, '/');
|
||||||
var previousDir = this.getCurrentDirectory(),
|
var previousDir = this.getCurrentDirectory(),
|
||||||
baseDir = OC.basename(targetDir);
|
baseDir = OC.basename(targetDir);
|
||||||
|
|
||||||
|
@ -1552,7 +1552,7 @@
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (status === 404) {
|
if (status === 404 || status === 405) {
|
||||||
// go back home
|
// go back home
|
||||||
this.changeDirectory('/');
|
this.changeDirectory('/');
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -1334,11 +1334,24 @@ describe('OCA.Files.FileList tests', function() {
|
||||||
fileList.changeDirectory('/another\\subdir');
|
fileList.changeDirectory('/another\\subdir');
|
||||||
expect(fileList.getCurrentDirectory()).toEqual('/another/subdir');
|
expect(fileList.getCurrentDirectory()).toEqual('/another/subdir');
|
||||||
});
|
});
|
||||||
|
it('converts backslashes to slashes and removes traversals when calling changeDirectory()', function() {
|
||||||
|
fileList.changeDirectory('/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../');
|
||||||
|
expect(fileList.getCurrentDirectory()).toEqual('/another/subdir/foo/bar/file/folder/');
|
||||||
|
});
|
||||||
|
it('does not convert folders with a ".." in the name', function() {
|
||||||
|
fileList.changeDirectory('/abc../def');
|
||||||
|
expect(fileList.getCurrentDirectory()).toEqual('/abc../def');
|
||||||
|
});
|
||||||
it('switches to root dir when current directory does not exist', function() {
|
it('switches to root dir when current directory does not exist', function() {
|
||||||
fileList.changeDirectory('/unexist');
|
fileList.changeDirectory('/unexist');
|
||||||
deferredList.reject(404);
|
deferredList.reject(404);
|
||||||
expect(fileList.getCurrentDirectory()).toEqual('/');
|
expect(fileList.getCurrentDirectory()).toEqual('/');
|
||||||
});
|
});
|
||||||
|
it('switches to root dir when current directory returns 405', function() {
|
||||||
|
fileList.changeDirectory('/unexist');
|
||||||
|
deferredList.reject(405);
|
||||||
|
expect(fileList.getCurrentDirectory()).toEqual('/');
|
||||||
|
});
|
||||||
it('switches to root dir when current directory is forbidden', function() {
|
it('switches to root dir when current directory is forbidden', function() {
|
||||||
fileList.changeDirectory('/unexist');
|
fileList.changeDirectory('/unexist');
|
||||||
deferredList.reject(403);
|
deferredList.reject(403);
|
||||||
|
|
Loading…
Reference in New Issue