prevent creating files with a / the name

2 files changed, 8 insertions, 0 deletions

diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php
index 316eac0562d..edb78414872 100644
--- a/apps/files/ajax/newfile.php
+++ b/apps/files/ajax/newfile.php
@@ -15,6 +15,10 @@ if($filename == '') {
 	OCP\JSON::error(array("data" => array( "message" => "Empty Filename" )));
 	exit();
 }
+if(strpos($filename,'/')!==false){
+	OCP\JSON::error(array("data" => array( "message" => "Invalid Filename" )));
+	exit();
+}
 
 if($source){
 	if(substr($source,0,8)!='https://' and substr($source,0,7)!='http://'){
diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php
index 512e0e1f6d9..0668a6191f4 100644
--- a/apps/files/ajax/newfolder.php
+++ b/apps/files/ajax/newfolder.php
@@ -13,6 +13,10 @@ if(trim($foldername) == '') {
 	OCP\JSON::error(array("data" => array( "message" => "Empty Foldername" )));
 	exit();
 }
+if(strpos($filename,'/')!==false){
+	OCP\JSON::error(array("data" => array( "message" => "Invalid Foldername" )));
+	exit();
+}
 
 if(OC_Files::newFile($dir, stripslashes($foldername), 'dir')) {
 	OCP\JSON::success(array("data" => array()));