Merge pull request #14346 from owncloud/storage-based-path-validation

adding storage specific filename verification

5 files changed, 20 insertions, 63 deletions

diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php
index 062de5a2523..e1f75ae91d0 100644
--- a/apps/files/ajax/newfile.php
+++ b/apps/files/ajax/newfile.php
@@ -10,7 +10,7 @@ global $eventSource;
 
 // Get the params
 $dir = isset( $_REQUEST['dir'] ) ? '/'.trim((string)$_REQUEST['dir'], '/\\') : '';
-$filename = isset( $_REQUEST['filename'] ) ? trim((string)$_REQUEST['filename'], '/\\') : '';
+$fileName = isset( $_REQUEST['filename'] ) ? trim((string)$_REQUEST['filename'], '/\\') : '';
 
 $l10n = \OC::$server->getL10N('files');
 
@@ -18,23 +18,14 @@ $result = array(
 	'success' 	=> false,
 	'data'		=> NULL
 );
-$trimmedFileName = trim($filename);
 
-if($trimmedFileName === '') {
-	$result['data'] = array('message' => (string)$l10n->t('File name cannot be empty.'));
+try {
+	\OC\Files\Filesystem::getView()->verifyPath($dir, $fileName);
+} catch (\OCP\Files\InvalidPathException $ex) {
+	$result['data'] = [
+		'message' => $ex->getMessage()];
 	OCP\JSON::error($result);
-	exit();
-}
-if($trimmedFileName === '.' || $trimmedFileName === '..') {
-	$result['data'] = array('message' => (string)$l10n->t('"%s" is an invalid file name.', $trimmedFileName));
-	OCP\JSON::error($result);
-	exit();
-}
-
-if(!OCP\Util::isValidFileName($filename)) {
-	$result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed."));
-	OCP\JSON::error($result);
-	exit();
+	return;
 }
 
 if (!\OC\Files\Filesystem::file_exists($dir . '/')) {
@@ -46,12 +37,12 @@ if (!\OC\Files\Filesystem::file_exists($dir . '/')) {
 	exit();
 }
 
-$target = $dir.'/'.$filename;
+$target = $dir.'/'.$fileName;
 
 if (\OC\Files\Filesystem::file_exists($target)) {
 	$result['data'] = array('message' => (string)$l10n->t(
 			'The name %s is already used in the folder %s. Please choose a different name.',
-			array($filename, $dir))
+			array($fileName, $dir))
 		);
 	OCP\JSON::error($result);
 	exit();
diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php
index e5e038b715c..3a252c5ba3c 100644
--- a/apps/files/ajax/newfolder.php
+++ b/apps/files/ajax/newfolder.php
@@ -9,7 +9,7 @@ OCP\JSON::callCheck();
 
 // Get the params
 $dir = isset($_POST['dir']) ? (string)$_POST['dir'] : '';
-$foldername = isset($_POST['foldername']) ?(string) $_POST['foldername'] : '';
+$folderName = isset($_POST['foldername']) ?(string) $_POST['foldername'] : '';
 
 $l10n = \OC::$server->getL10N('files');
 
@@ -18,16 +18,13 @@ $result = array(
 	'data'		=> NULL
 	);
 
-if(trim($foldername) === '') {
-	$result['data'] = array('message' => $l10n->t('Folder name cannot be empty.'));
+try {
+	\OC\Files\Filesystem::getView()->verifyPath($dir, $folderName);
+} catch (\OCP\Files\InvalidPathException $ex) {
+	$result['data'] = [
+		'message' => $ex->getMessage()];
 	OCP\JSON::error($result);
-	exit();
-}
-
-if(!OCP\Util::isValidFileName($foldername)) {
-	$result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed."));
-	OCP\JSON::error($result);
-	exit();
+	return;
 }
 
 if (!\OC\Files\Filesystem::file_exists($dir . '/')) {
@@ -39,12 +36,12 @@ if (!\OC\Files\Filesystem::file_exists($dir . '/')) {
 	exit();
 }
 
-$target = $dir . '/' . $foldername;
+$target = $dir . '/' . $folderName;
 		
 if (\OC\Files\Filesystem::file_exists($target)) {
 	$result['data'] = array('message' => $l10n->t(
 			'The name %s is already used in the folder %s. Please choose a different name.',
-			array($foldername, $dir))
+			array($folderName, $dir))
 		);
 	OCP\JSON::error($result);
 	exit();
@@ -52,9 +49,9 @@ if (\OC\Files\Filesystem::file_exists($target)) {
 
 if(\OC\Files\Filesystem::mkdir($target)) {
 	if ( $dir !== '/') {
-		$path = $dir.'/'.$foldername;
+		$path = $dir.'/'.$folderName;
 	} else {
-		$path = '/'.$foldername;
+		$path = '/'.$folderName;
 	}
 	$meta = \OC\Files\Filesystem::getFileInfo($path);
 	$meta['type'] = 'dir'; // missing ?!
diff --git a/apps/files/js/files.js b/apps/files/js/files.js
index 314b8bf39c6..e63c3cad52e 100644
--- a/apps/files/js/files.js
+++ b/apps/files/js/files.js
@@ -102,14 +102,6 @@
 			} else if (trimmedName.length === 0) {
 				throw t('files', 'File name cannot be empty.');
 			}
-			// check for invalid characters
-			var invalidCharacters =
-				['\\', '/', '<', '>', ':', '"', '|', '?', '*', '\n'];
-			for (var i = 0; i < invalidCharacters.length; i++) {
-				if (trimmedName.indexOf(invalidCharacters[i]) !== -1) {
-					throw t('files', "Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed.");
-				}
-			}
 			return true;
 		},
 		displayStorageWarnings: function() {
diff --git a/apps/files/tests/js/fileUploadSpec.js b/apps/files/tests/js/fileUploadSpec.js
index 2b4341ef1c3..49b7265ced1 100644
--- a/apps/files/tests/js/fileUploadSpec.js
+++ b/apps/files/tests/js/fileUploadSpec.js
@@ -110,18 +110,5 @@ describe('OC.Upload tests', function() {
 				'Not enough free space, you are uploading 5 kB but only 1000 B is left'
 			);
 		});
-		it('does not add file if it has invalid characters', function() {
-			var result;
-			testFile.name = 'stars*stars.txt';
-
-			result = addFile(testFile);
-
-			expect(result).toEqual(false);
-			expect(failStub.calledOnce).toEqual(true);
-			expect(failStub.getCall(0).args[1].textStatus).toEqual('invalidcharacters');
-			expect(failStub.getCall(0).args[1].errorThrown.substr(0, 12)).toEqual(
-				'Invalid name'
-			);
-		});
 	});
 });
diff --git a/apps/files/tests/js/filesSpec.js b/apps/files/tests/js/filesSpec.js
index 4f8d5a29318..f20ba03e2f1 100644
--- a/apps/files/tests/js/filesSpec.js
+++ b/apps/files/tests/js/filesSpec.js
@@ -55,16 +55,6 @@ describe('OCA.Files.Files tests', function() {
 				'     ',
 				'.',
 				'..',
-				'back\\slash',
-				'sl/ash',
-				'lt<lt',
-				'gt>gt',
-				'col:on',
-				'double"quote',
-				'pi|pe',
-				'dont?ask?questions?',
-				'super*star',
-				'new\nline',
 				' ..',
 				'.. ',
 				'. ',