Ignore invalid paths in the JS file list (#25368)

author: Vincent Petry <pvince81@owncloud.com> 2016-07-06 11:55:02 +0200
committer: Thomas Müller <DeepDiver1975@users.noreply.github.com> 2016-07-06 11:55:02 +0200
commit: 1f9d72853859c1f4f60be243d11cc007420fad9e (patch)
tree: cd4a8c10449e61084b4b8afe65682841cc72435e /apps/files/js
parent: d58e6b59d332a729fae9b00ecf92ce640e7b9bb0 (diff)
download: nextcloud-server-1f9d72853859c1f4f60be243d11cc007420fad9e.tar.gz
nextcloud-server-1f9d72853859c1f4f60be243d11cc007420fad9e.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 690e5e70fdb..7a7d26eed7c 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1397,6 +1397,16 @@
 			return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/');
 		},
 
+		_isValidPath: function(path) {
+			var sections = path.split('/');
+			for (var i = 0; i < sections.length; i++) {
+				if (sections[i] === '..') {
+					return false;
+				}
+			}
+			return true;
+		},
+
 		/**
 		 * Sets the current directory name and updates the breadcrumb.
 		 * @param targetDir directory to display
@@ -1405,6 +1415,10 @@
 		 */
 		_setCurrentDir: function(targetDir, changeUrl, fileId) {
 			targetDir = targetDir.replace(/\\/g, '/');
+			if (!this._isValidPath(targetDir)) {
+				targetDir = '/';
+				changeUrl = true;
+			}
 			var previousDir = this.getCurrentDirectory(),
 				baseDir = OC.basename(targetDir);
author	Vincent Petry <pvince81@owncloud.com>	2016-07-06 11:55:02 +0200
committer	Thomas Müller <DeepDiver1975@users.noreply.github.com>	2016-07-06 11:55:02 +0200
commit	1f9d72853859c1f4f60be243d11cc007420fad9e (patch)
tree	cd4a8c10449e61084b4b8afe65682841cc72435e /apps/files/js
parent	d58e6b59d332a729fae9b00ecf92ce640e7b9bb0 (diff)
download	nextcloud-server-1f9d72853859c1f4f60be243d11cc007420fad9e.tar.gz nextcloud-server-1f9d72853859c1f4f60be243d11cc007420fad9e.zip