Merge pull request #333 from nextcloud/sync-master

Sync master

2 files changed, 50 insertions, 8 deletions

diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 24a6f4ec6e2..f0b16a57886 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -513,7 +513,7 @@
 		 * Event handler for when the URL changed
 		 */
 		_onUrlChanged: function(e) {
-			if (e && e.dir) {
+			if (e && _.isString(e.dir)) {
 				this.changeDirectory(e.dir, false, true);
 			}
 		},
@@ -1397,6 +1397,16 @@
 			return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/');
 		},
 
+		_isValidPath: function(path) {
+			var sections = path.split('/');
+			for (var i = 0; i < sections.length; i++) {
+				if (sections[i] === '..') {
+					return false;
+				}
+			}
+			return true;
+		},
+
 		/**
 		 * Sets the current directory name and updates the breadcrumb.
 		 * @param targetDir directory to display
@@ -1404,7 +1414,11 @@
 		 * @param {string} [fileId] file id
 		 */
 		_setCurrentDir: function(targetDir, changeUrl, fileId) {
-			targetDir = targetDir.replace(/\\/g, '/').replace(/\/\.\.\//g, '/');
+			targetDir = targetDir.replace(/\\/g, '/');
+			if (!this._isValidPath(targetDir)) {
+				targetDir = '/';
+				changeUrl = true;
+			}
 			var previousDir = this.getCurrentDirectory(),
 				baseDir = OC.basename(targetDir);
 
@@ -1415,6 +1429,9 @@
 				this.setPageTitle();
 			}
 
+			if (targetDir.length > 0 && targetDir[0] !== '/') {
+				targetDir = '/' + targetDir;
+			}
 			this._currentDirectory = targetDir;
 
 			// legacy stuff
diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js
index 453f1cafcaf..98511fd3d64 100644
--- a/apps/files/tests/js/filelistSpec.js
+++ b/apps/files/tests/js/filelistSpec.js
@@ -1334,13 +1334,32 @@ describe('OCA.Files.FileList tests', function() {
 			fileList.changeDirectory('/another\\subdir');
 			expect(fileList.getCurrentDirectory()).toEqual('/another/subdir');
 		});
-		it('converts backslashes to slashes and removes traversals when calling changeDirectory()', function() {
-			fileList.changeDirectory('/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../');
-			expect(fileList.getCurrentDirectory()).toEqual('/another/subdir/foo/bar/file/folder/');
+		it('switches to root dir when current directory is invalid', function() {
+			_.each([
+				'..',
+				'/..',
+				'../',
+				'/../',
+				'/../abc',
+				'/abc/..',
+				'/abc/../',
+				'/../abc/',
+				'/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../'
+			], function(path) {
+				fileList.changeDirectory(path);
+				expect(fileList.getCurrentDirectory()).toEqual('/');
+			});
 		});
-		it('does not convert folders with a ".." in the name', function() {
-			fileList.changeDirectory('/abc../def');
-			expect(fileList.getCurrentDirectory()).toEqual('/abc../def');
+		it('allows paths with dotdot at the beginning or end', function() {
+			_.each([
+				'/..abc',
+				'/def..',
+				'/...',
+				'/abc../def'
+			], function(path) {
+				fileList.changeDirectory(path);
+				expect(fileList.getCurrentDirectory()).toEqual(path);
+			});
 		});
 		it('switches to root dir when current directory does not exist', function() {
 			fileList.changeDirectory('/unexist');
@@ -1404,6 +1423,12 @@ describe('OCA.Files.FileList tests', function() {
 			setDirSpy.restore();
 			getFolderContentsStub.restore();
 		});
+		it('prepends a slash to directory if none was given', function() {
+			fileList.changeDirectory('');
+			expect(fileList.getCurrentDirectory()).toEqual('/');
+			fileList.changeDirectory('noslash');
+			expect(fileList.getCurrentDirectory()).toEqual('/noslash');
+		});
 	});
 	describe('breadcrumb events', function() {
 		var deferredList;