From e6c4e53486b7c1a2f9da7b3ebca3b2581406fb92 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Wed, 6 Jun 2012 00:02:13 +0200 Subject: [PATCH] prevent creating files with a / the name --- apps/files/ajax/newfile.php | 4 ++++ apps/files/ajax/newfolder.php | 4 ++++ apps/files/js/files.js | 5 +++++ 3 files changed, 13 insertions(+) diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php index 316eac0562..edb7841487 100644 --- a/apps/files/ajax/newfile.php +++ b/apps/files/ajax/newfile.php @@ -15,6 +15,10 @@ if($filename == '') { OCP\JSON::error(array("data" => array( "message" => "Empty Filename" ))); exit(); } +if(strpos($filename,'/')!==false){ + OCP\JSON::error(array("data" => array( "message" => "Invalid Filename" ))); + exit(); +} if($source){ if(substr($source,0,8)!='https://' and substr($source,0,7)!='http://'){ diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php index 512e0e1f6d..0668a6191f 100644 --- a/apps/files/ajax/newfolder.php +++ b/apps/files/ajax/newfolder.php @@ -13,6 +13,10 @@ if(trim($foldername) == '') { OCP\JSON::error(array("data" => array( "message" => "Empty Foldername" ))); exit(); } +if(strpos($filename,'/')!==false){ + OCP\JSON::error(array("data" => array( "message" => "Invalid Foldername" ))); + exit(); +} if(OC_Files::newFile($dir, stripslashes($foldername), 'dir')) { OCP\JSON::success(array("data" => array())); diff --git a/apps/files/js/files.js b/apps/files/js/files.js index 7cd0f388a3..a079deb953 100644 --- a/apps/files/js/files.js +++ b/apps/files/js/files.js @@ -452,6 +452,11 @@ $(document).ready(function() { input.focus(); input.change(function(){ var name=$(this).val(); + if(name.indexOf('/')!=-1){ + $('#notification').text(t('files','Invalid name, \'/\' is not allowed.')); + $('#notification').fadeIn(); + return; + } switch(type){ case 'file': $.post(