Do not allow directory traversal using "../"

We should not allow directory traversals using "../" here. To test access the following URL once with and then without this patch: http://localhost/server/index.php/apps/files/?dir=../../This+Should+Not+Be+Here
author: Lukas Reschke <lukas@owncloud.com> 2016-07-01 13:33:00 +0200
committer: Lukas Reschke <lukas@owncloud.com> 2016-07-01 13:36:05 +0200
commit: 5b65591d84a0dafb9415539eef75424004f6a4f6 (patch)
tree: ee892149ed23139b8ce8f29fe6120374e3ae4686 /apps/files/js/filelist.js
parent: 8e002b61554308cb4d50570f715303a82136f0fa (diff)
download: nextcloud-server-5b65591d84a0dafb9415539eef75424004f6a4f6.tar.gz
nextcloud-server-5b65591d84a0dafb9415539eef75424004f6a4f6.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index e483882fcc5..1f19c2a6258 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1404,7 +1404,7 @@
 		 * @param {string} [fileId] file id
 		 */
 		_setCurrentDir: function(targetDir, changeUrl, fileId) {
-			targetDir = targetDir.replace(/\\/g, '/');
+			targetDir = targetDir.replace(/\\/g, '/').replace(/\.\.\//g, '');
 			var previousDir = this.getCurrentDirectory(),
 				baseDir = OC.basename(targetDir);
author	Lukas Reschke <lukas@owncloud.com>	2016-07-01 13:33:00 +0200
committer	Lukas Reschke <lukas@owncloud.com>	2016-07-01 13:36:05 +0200
commit	5b65591d84a0dafb9415539eef75424004f6a4f6 (patch)
tree	ee892149ed23139b8ce8f29fe6120374e3ae4686 /apps/files/js/filelist.js
parent	8e002b61554308cb4d50570f715303a82136f0fa (diff)
download	nextcloud-server-5b65591d84a0dafb9415539eef75424004f6a4f6.tar.gz nextcloud-server-5b65591d84a0dafb9415539eef75424004f6a4f6.zip