Ignore invalid paths in the JS file list (#25368)

diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 690e5e70fdb7ccceb110ac65a6d1bbc475616f07..7a7d26eed7c19719f6d5f89020a27bd5fdba3fd5 100644 (file)
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1397,6 +1397,16 @@
                        return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/');
                },
 
+               _isValidPath: function(path) {
+                       var sections = path.split('/');
+                       for (var i = 0; i < sections.length; i++) {
+                               if (sections[i] === '..') {
+                                       return false;
+                               }
+                       }
+                       return true;
+               },
+
                /**
                 * Sets the current directory name and updates the breadcrumb.
                 * @param targetDir directory to display
@@ -1405,6 +1415,10 @@
                 */
                _setCurrentDir: function(targetDir, changeUrl, fileId) {
                        targetDir = targetDir.replace(/\\/g, '/');
+                       if (!this._isValidPath(targetDir)) {
+                               targetDir = '/';
+                               changeUrl = true;
+                       }
                        var previousDir = this.getCurrentDirectory(),
                                baseDir = OC.basename(targetDir);
 

diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js
index a74e1c7328c7b9bb905202d8873581d322068f88..d8d3057ec3e2f4e62ad75a0ebd13d983d515f03c 100644 (file)
--- a/apps/files/tests/js/filelistSpec.js
+++ b/apps/files/tests/js/filelistSpec.js
@@ -1334,6 +1334,31 @@ describe('OCA.Files.FileList tests', function() {
                        fileList.changeDirectory('/another\\subdir');
                        expect(fileList.getCurrentDirectory()).toEqual('/another/subdir');
                });
+               it('switches to root dir when current directory is invalid', function() {
+                       _.each([
+                               '..',
+                               '/..',
+                               '../',
+                               '/../',
+                               '/../abc',
+                               '/abc/..',
+                               '/abc/../',
+                               '/../abc/'
+                       ], function(path) {
+                               fileList.changeDirectory(path);
+                               expect(fileList.getCurrentDirectory()).toEqual('/');
+                       });
+               });
+               it('allows paths with dotdot at the beginning or end', function() {
+                       _.each([
+                               '..abc',
+                               'def..',
+                               '...'
+                       ], function(path) {
+                               fileList.changeDirectory(path);
+                               expect(fileList.getCurrentDirectory()).toEqual(path);
+                       });
+               });
                it('switches to root dir when current directory does not exist', function() {
                        fileList.changeDirectory('/unexist');
                        deferredList.reject(404);