Merge pull request #278 from nextcloud/master-traversal-directory-js

Do not allow directory traversal using "../"
author: Björn Schießle <bjoern@schiessle.org> 2016-07-01 18:30:27 +0200
committer: GitHub <noreply@github.com> 2016-07-01 18:30:27 +0200
commit: c33b5046e08a1f0c131f941e5ed93fb40e5d80e3 (patch)
tree: 94b4d01929d5c7a9c20e4bc6b26700455bd7086f /apps/files/js
parent: 8e002b61554308cb4d50570f715303a82136f0fa (diff)
parent: 76c73d5ec32828d9b5d546aefd489b8080b8bad5 (diff)
download: nextcloud-server-c33b5046e08a1f0c131f941e5ed93fb40e5d80e3.tar.gz
nextcloud-server-c33b5046e08a1f0c131f941e5ed93fb40e5d80e3.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index e483882fcc5..0813d2cc30e 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1404,7 +1404,7 @@
 		 * @param {string} [fileId] file id
 		 */
 		_setCurrentDir: function(targetDir, changeUrl, fileId) {
-			targetDir = targetDir.replace(/\\/g, '/');
+			targetDir = targetDir.replace(/\\/g, '/').replace(/\/\.\.\//g, '/');
 			var previousDir = this.getCurrentDirectory(),
 				baseDir = OC.basename(targetDir);
 
@@ -1552,7 +1552,7 @@
 				return false;
 			}
 
-			if (status === 404) {
+			if (status === 404 || status === 405) {
 				// go back home
 				this.changeDirectory('/');
 				return false;
author	Björn Schießle <bjoern@schiessle.org>	2016-07-01 18:30:27 +0200
committer	GitHub <noreply@github.com>	2016-07-01 18:30:27 +0200
commit	c33b5046e08a1f0c131f941e5ed93fb40e5d80e3 (patch)
tree	94b4d01929d5c7a9c20e4bc6b26700455bd7086f /apps/files/js
parent	8e002b61554308cb4d50570f715303a82136f0fa (diff)
parent	76c73d5ec32828d9b5d546aefd489b8080b8bad5 (diff)
download	nextcloud-server-c33b5046e08a1f0c131f941e5ed93fb40e5d80e3.tar.gz nextcloud-server-c33b5046e08a1f0c131f941e5ed93fb40e5d80e3.zip