diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2014-01-10 16:14:37 +0100 |
|---|---|---|
| committer | Vincent Petry <pvince81@owncloud.com> | 2014-02-18 17:54:32 +0100 |
| commit | 797e0a614cc44e627a54dfd39ce4047d176ebd9b (patch) | |
| tree | fd0ed9c7d0d181a31da0f842414f3ed5ec5b9ea9 /apps/files/ajax | |
| parent | a573fe7d769f5eea26f52b818eee11779090bb50 (diff) | |
| download | nextcloud-server-797e0a614cc44e627a54dfd39ce4047d176ebd9b.tar.gz nextcloud-server-797e0a614cc44e627a54dfd39ce4047d176ebd9b.zip | |
Added extra checks for invalid file chars in newfile.php and newfolder.php
- added PHP utility function to check for file name validity
- fixes issue where a user can create a file called ".." from the files UI
- added extra checks to make sure newfile.php and newfolder.php also
check for invalid characters
Diffstat (limited to 'apps/files/ajax')
| -rw-r--r-- | apps/files/ajax/newfile.php | 14 | ||||
| -rw-r--r-- | apps/files/ajax/newfolder.php | 4 |
2 files changed, 12 insertions, 6 deletions
diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php index 1853098c507..0187b200759 100644 --- a/apps/files/ajax/newfile.php +++ b/apps/files/ajax/newfile.php @@ -50,16 +50,22 @@ $l10n = \OC_L10n::get('files'); $result = array( 'success' => false, 'data' => NULL - ); +); +$trimmedFileName = trim($filename); -if(trim($filename) === '') { +if($trimmedFileName === '') { $result['data'] = array('message' => (string)$l10n->t('File name cannot be empty.')); OCP\JSON::error($result); exit(); } +if($trimmedFileName === '.' || $trimmedFileName === '..') { + $result['data'] = array('message' => (string)$l10n->t('"%s" is an invalid file name.', $trimmedFileName)); + OCP\JSON::error($result); + exit(); +} -if(strpos($filename, '/') !== false) { - $result['data'] = array('message' => (string)$l10n->t('File name must not contain "/". Please choose a different name.')); +if(!OCP\Util::isValidFileName($filename)) { + $result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed.")); OCP\JSON::error($result); exit(); } diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php index 4cfcae3090d..b2b4fb27f74 100644 --- a/apps/files/ajax/newfolder.php +++ b/apps/files/ajax/newfolder.php @@ -23,8 +23,8 @@ if(trim($foldername) === '') { exit(); } -if(strpos($foldername, '/') !== false) { - $result['data'] = array('message' => $l10n->t('Folder name must not contain "/". Please choose a different name.')); +if(!OCP\Util::isValidFileName($foldername)) { + $result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed.")); OCP\JSON::error($result); exit(); } |