Merge pull request #3950 from nextcloud/downstream-27149

Forbid to upload part files via web UI

6 files changed, 23 insertions, 2 deletions

diff --git a/apps/files/js/files.js b/apps/files/js/files.js
index 99f888ce0f7..5b345a45b67 100644
--- a/apps/files/js/files.js
+++ b/apps/files/js/files.js
@@ -101,7 +101,10 @@
 				throw t('files', '"{name}" is an invalid file name.', {name: name});
 			} else if (trimmedName.length === 0) {
 				throw t('files', 'File name cannot be empty.');
+			} else if (OC.fileIsBlacklisted(trimmedName)) {
+				throw t('files', '"{name}" is not an allowed filetype', {name: name});
 			}
+
 			return true;
 		},
 		displayStorageWarnings: function() {
diff --git a/apps/files/tests/js/filesSpec.js b/apps/files/tests/js/filesSpec.js
index b7627d59fdf..5c3f68b2ba4 100644
--- a/apps/files/tests/js/filesSpec.js
+++ b/apps/files/tests/js/filesSpec.js
@@ -58,7 +58,9 @@ describe('OCA.Files.Files tests', function() {
 				' ..',
 				'.. ',
 				'. ',
-				' .'
+				' .',
+				'foo.part',
+				'bar.filepart'
 			];
 			for ( var i = 0; i < fileNames.length; i++ ) {
 				var threwException = false;
diff --git a/core/js/js.js b/core/js/js.js
index 5c737d41793..8c6fc0d9c07 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -225,6 +225,14 @@ var OCP = {},
 	},
 
 	/**
+	 * Check if a user file is allowed to be handled.
+	 * @param {string} file to check
+	 */
+	fileIsBlacklisted: function(file) {
+		return !!(file.match(oc_config.blacklist_files_regex));
+	},
+
+	/**
 	 * Redirect to the target URL, can also be used for downloads.
 	 * @param {string} targetURL URL to redirect to
 	 */
diff --git a/core/js/tests/specHelper.js b/core/js/tests/specHelper.js
index 7897a2f2842..a411ade7dea 100644
--- a/core/js/tests/specHelper.js
+++ b/core/js/tests/specHelper.js
@@ -94,7 +94,8 @@ window.oc_appswebroots = {
 };
 window.oc_config = {
 	session_lifetime: 600 * 1000,
-	session_keepalive: false
+	session_keepalive: false,
+	blacklist_files_regex: '\.(part|filepart)$',
 };
 window.oc_appconfig = {
 	core: {}
diff --git a/lib/private/Template/JSConfigHelper.php b/lib/private/Template/JSConfigHelper.php
index 6bf08dcdada..ca45bbee9c6 100644
--- a/lib/private/Template/JSConfigHelper.php
+++ b/lib/private/Template/JSConfigHelper.php
@@ -209,6 +209,7 @@ class JSConfigHelper {
 				'modRewriteWorking'	=> ($this->config->getSystemValue('htaccess.IgnoreFrontController', false) === true || getenv('front_controller_active') === 'true'),
 				'sharing.maxAutocompleteResults' => intval($this->config->getSystemValue('sharing.maxAutocompleteResults', 0)),
 				'sharing.minSearchStringLength' => intval($this->config->getSystemValue('sharing.minSearchStringLength', 0)),
+				'blacklist_files_regex' => \OCP\Files\FileInfo::BLACKLIST_FILES_REGEX,
 			]),
 			"oc_appconfig" => json_encode([
 				'core' => [
diff --git a/lib/public/Files/FileInfo.php b/lib/public/Files/FileInfo.php
index b6718efba34..8eeb8df08ce 100644
--- a/lib/public/Files/FileInfo.php
+++ b/lib/public/Files/FileInfo.php
@@ -64,6 +64,12 @@ interface FileInfo {
 	const MIMETYPE_FOLDER = 'httpd/unix-directory';
 
 	/**
+	 * @const \OCP\Files\FileInfo::BLACKLIST_FILES_REGEX Return regular expression to test filenames against (blacklisting)
+	 * @since 12.0.0
+	 */
+	const BLACKLIST_FILES_REGEX = '\.(part|filepart)$';
+
+	/**
 	 * Get the Etag of the file or folder
 	 *
 	 * @return string