diff options
author | Björn Schießle <bjoern@schiessle.org> | 2016-07-01 18:00:25 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-07-01 18:00:25 +0200 |
commit | 12796500e0f02f8a468af5963ba16ed5c7fc03de (patch) | |
tree | 964066c25a361ed8be66d8ab6724b21f0eb1189f | |
parent | 756b0c05b6ebc3e4f0addec67e96d3bdd2d5a11a (diff) | |
parent | dea8e29289a1b99d5e889627c2e377887f4f2983 (diff) | |
download | nextcloud-server-12796500e0f02f8a468af5963ba16ed5c7fc03de.tar.gz nextcloud-server-12796500e0f02f8a468af5963ba16ed5c7fc03de.zip |
Merge pull request #277 from nextcloud/traversal-directory-js
[stable9] Do not allow directory traversal using "../" in JS file list
-rw-r--r-- | apps/files/js/filelist.js | 4 | ||||
-rw-r--r-- | apps/files/tests/js/filelistSpec.js | 13 |
2 files changed, 15 insertions, 2 deletions
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js index b79dd0f66f2..99f28c6b437 100644 --- a/apps/files/js/filelist.js +++ b/apps/files/js/filelist.js @@ -1333,7 +1333,7 @@ * @param changeUrl true to also update the URL, false otherwise (default) */ _setCurrentDir: function(targetDir, changeUrl) { - targetDir = targetDir.replace(/\\/g, '/'); + targetDir = targetDir.replace(/\\/g, '/').replace(/\/\.\.\//g, '/'); var previousDir = this.getCurrentDirectory(), baseDir = OC.basename(targetDir); @@ -1469,7 +1469,7 @@ return false; } - if (status === 404) { + if (status === 404 || status === 405) { // go back home this.changeDirectory('/'); return false; diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js index a83c8c4c0bc..0bdc9c2e05c 100644 --- a/apps/files/tests/js/filelistSpec.js +++ b/apps/files/tests/js/filelistSpec.js @@ -1323,11 +1323,24 @@ describe('OCA.Files.FileList tests', function() { fileList.changeDirectory('/another\\subdir'); expect(fileList.getCurrentDirectory()).toEqual('/another/subdir'); }); + it('converts backslashes to slashes and removes traversals when calling changeDirectory()', function() { + fileList.changeDirectory('/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../'); + expect(fileList.getCurrentDirectory()).toEqual('/another/subdir/foo/bar/file/folder/'); + }); + it('does not convert folders with a ".." in the name', function() { + fileList.changeDirectory('/abc../def'); + expect(fileList.getCurrentDirectory()).toEqual('/abc../def'); + }); it('switches to root dir when current directory does not exist', function() { fileList.changeDirectory('/unexist'); deferredList.reject(404); expect(fileList.getCurrentDirectory()).toEqual('/'); }); + it('switches to root dir when current directory returns 405', function() { + fileList.changeDirectory('/unexist'); + deferredList.reject(405); + expect(fileList.getCurrentDirectory()).toEqual('/'); + }); it('switches to root dir when current directory is forbidden', function() { fileList.changeDirectory('/unexist'); deferredList.reject(403); |