prevent creating files with a / the name

3 files changed, 13 insertions, 0 deletions

diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php
index 316eac0562d..edb78414872 100644
--- a/apps/files/ajax/newfile.php
+++ b/apps/files/ajax/newfile.php
@@ -15,6 +15,10 @@ if($filename == '') {
 	OCP\JSON::error(array("data" => array( "message" => "Empty Filename" )));
 	exit();
 }
+if(strpos($filename,'/')!==false){
+	OCP\JSON::error(array("data" => array( "message" => "Invalid Filename" )));
+	exit();
+}
 
 if($source){
 	if(substr($source,0,8)!='https://' and substr($source,0,7)!='http://'){
diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php
index 512e0e1f6d9..0668a6191f4 100644
--- a/apps/files/ajax/newfolder.php
+++ b/apps/files/ajax/newfolder.php
@@ -13,6 +13,10 @@ if(trim($foldername) == '') {
 	OCP\JSON::error(array("data" => array( "message" => "Empty Foldername" )));
 	exit();
 }
+if(strpos($filename,'/')!==false){
+	OCP\JSON::error(array("data" => array( "message" => "Invalid Foldername" )));
+	exit();
+}
 
 if(OC_Files::newFile($dir, stripslashes($foldername), 'dir')) {
 	OCP\JSON::success(array("data" => array()));
diff --git a/apps/files/js/files.js b/apps/files/js/files.js
index 7cd0f388a3c..a079deb9539 100644
--- a/apps/files/js/files.js
+++ b/apps/files/js/files.js
@@ -452,6 +452,11 @@ $(document).ready(function() {
 		input.focus();
 		input.change(function(){
 			var name=$(this).val();
+			if(name.indexOf('/')!=-1){
+				$('#notification').text(t('files','Invalid name, \'/\' is not allowed.'));
+				$('#notification').fadeIn();
+				return;
+			}
 			switch(type){
 				case 'file':
 					$.post(