aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBjörn Schießle <bjoern@schiessle.org>2016-07-01 18:00:25 +0200
committerGitHub <noreply@github.com>2016-07-01 18:00:25 +0200
commit12796500e0f02f8a468af5963ba16ed5c7fc03de (patch)
tree964066c25a361ed8be66d8ab6724b21f0eb1189f
parent756b0c05b6ebc3e4f0addec67e96d3bdd2d5a11a (diff)
parentdea8e29289a1b99d5e889627c2e377887f4f2983 (diff)
downloadnextcloud-server-12796500e0f02f8a468af5963ba16ed5c7fc03de.tar.gz
nextcloud-server-12796500e0f02f8a468af5963ba16ed5c7fc03de.zip
Merge pull request #277 from nextcloud/traversal-directory-js
[stable9] Do not allow directory traversal using "../" in JS file list
-rw-r--r--apps/files/js/filelist.js4
-rw-r--r--apps/files/tests/js/filelistSpec.js13
2 files changed, 15 insertions, 2 deletions
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index b79dd0f66f2..99f28c6b437 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1333,7 +1333,7 @@
* @param changeUrl true to also update the URL, false otherwise (default)
*/
_setCurrentDir: function(targetDir, changeUrl) {
- targetDir = targetDir.replace(/\\/g, '/');
+ targetDir = targetDir.replace(/\\/g, '/').replace(/\/\.\.\//g, '/');
var previousDir = this.getCurrentDirectory(),
baseDir = OC.basename(targetDir);
@@ -1469,7 +1469,7 @@
return false;
}
- if (status === 404) {
+ if (status === 404 || status === 405) {
// go back home
this.changeDirectory('/');
return false;
diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js
index a83c8c4c0bc..0bdc9c2e05c 100644
--- a/apps/files/tests/js/filelistSpec.js
+++ b/apps/files/tests/js/filelistSpec.js
@@ -1323,11 +1323,24 @@ describe('OCA.Files.FileList tests', function() {
fileList.changeDirectory('/another\\subdir');
expect(fileList.getCurrentDirectory()).toEqual('/another/subdir');
});
+ it('converts backslashes to slashes and removes traversals when calling changeDirectory()', function() {
+ fileList.changeDirectory('/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../');
+ expect(fileList.getCurrentDirectory()).toEqual('/another/subdir/foo/bar/file/folder/');
+ });
+ it('does not convert folders with a ".." in the name', function() {
+ fileList.changeDirectory('/abc../def');
+ expect(fileList.getCurrentDirectory()).toEqual('/abc../def');
+ });
it('switches to root dir when current directory does not exist', function() {
fileList.changeDirectory('/unexist');
deferredList.reject(404);
expect(fileList.getCurrentDirectory()).toEqual('/');
});
+ it('switches to root dir when current directory returns 405', function() {
+ fileList.changeDirectory('/unexist');
+ deferredList.reject(405);
+ expect(fileList.getCurrentDirectory()).toEqual('/');
+ });
it('switches to root dir when current directory is forbidden', function() {
fileList.changeDirectory('/unexist');
deferredList.reject(403);