diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js index b79dd0f66f..e3f1a1ed02 100644 --- a/apps/files/js/filelist.js +++ b/apps/files/js/filelist.js @@ -1327,6 +1327,16 @@ return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/'); }, + _isValidPath: function(path) { + var sections = path.split('/'); + for (var i = 0; i < sections.length; i++) { + if (sections[i] === '..') { + return false; + } + } + return true; + }, + /** * Sets the current directory name and updates the breadcrumb. * @param targetDir directory to display @@ -1334,6 +1344,10 @@ */ _setCurrentDir: function(targetDir, changeUrl) { targetDir = targetDir.replace(/\\/g, '/'); + if (!this._isValidPath(targetDir)) { + targetDir = '/'; + changeUrl = true; + } var previousDir = this.getCurrentDirectory(), baseDir = OC.basename(targetDir); diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js index a83c8c4c0b..7ca6c4b16f 100644 --- a/apps/files/tests/js/filelistSpec.js +++ b/apps/files/tests/js/filelistSpec.js @@ -1323,6 +1323,31 @@ describe('OCA.Files.FileList tests', function() { fileList.changeDirectory('/another\\subdir'); expect(fileList.getCurrentDirectory()).toEqual('/another/subdir'); }); + it('switches to root dir when current directory is invalid', function() { + _.each([ + '..', + '/..', + '../', + '/../', + '/../abc', + '/abc/..', + '/abc/../', + '/../abc/' + ], function(path) { + fileList.changeDirectory(path); + expect(fileList.getCurrentDirectory()).toEqual('/'); + }); + }); + it('allows paths with dotdot at the beginning or end', function() { + _.each([ + '..abc', + 'def..', + '...' + ], function(path) { + fileList.changeDirectory(path); + expect(fileList.getCurrentDirectory()).toEqual(path); + }); + }); it('switches to root dir when current directory does not exist', function() { fileList.changeDirectory('/unexist'); deferredList.reject(404);