diff options
author | Vincent Petry <pvince81@owncloud.com> | 2016-07-06 11:55:02 +0200 |
---|---|---|
committer | Thomas Müller <DeepDiver1975@users.noreply.github.com> | 2016-07-06 11:55:02 +0200 |
commit | 1f9d72853859c1f4f60be243d11cc007420fad9e (patch) | |
tree | cd4a8c10449e61084b4b8afe65682841cc72435e /apps | |
parent | d58e6b59d332a729fae9b00ecf92ce640e7b9bb0 (diff) | |
download | nextcloud-server-1f9d72853859c1f4f60be243d11cc007420fad9e.tar.gz nextcloud-server-1f9d72853859c1f4f60be243d11cc007420fad9e.zip |
Ignore invalid paths in the JS file list (#25368)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/files/js/filelist.js | 14 | ||||
-rw-r--r-- | apps/files/tests/js/filelistSpec.js | 25 |
2 files changed, 39 insertions, 0 deletions
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js index 690e5e70fdb..7a7d26eed7c 100644 --- a/apps/files/js/filelist.js +++ b/apps/files/js/filelist.js @@ -1397,6 +1397,16 @@ return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/'); }, + _isValidPath: function(path) { + var sections = path.split('/'); + for (var i = 0; i < sections.length; i++) { + if (sections[i] === '..') { + return false; + } + } + return true; + }, + /** * Sets the current directory name and updates the breadcrumb. * @param targetDir directory to display @@ -1405,6 +1415,10 @@ */ _setCurrentDir: function(targetDir, changeUrl, fileId) { targetDir = targetDir.replace(/\\/g, '/'); + if (!this._isValidPath(targetDir)) { + targetDir = '/'; + changeUrl = true; + } var previousDir = this.getCurrentDirectory(), baseDir = OC.basename(targetDir); diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js index a74e1c7328c..d8d3057ec3e 100644 --- a/apps/files/tests/js/filelistSpec.js +++ b/apps/files/tests/js/filelistSpec.js @@ -1334,6 +1334,31 @@ describe('OCA.Files.FileList tests', function() { fileList.changeDirectory('/another\\subdir'); expect(fileList.getCurrentDirectory()).toEqual('/another/subdir'); }); + it('switches to root dir when current directory is invalid', function() { + _.each([ + '..', + '/..', + '../', + '/../', + '/../abc', + '/abc/..', + '/abc/../', + '/../abc/' + ], function(path) { + fileList.changeDirectory(path); + expect(fileList.getCurrentDirectory()).toEqual('/'); + }); + }); + it('allows paths with dotdot at the beginning or end', function() { + _.each([ + '..abc', + 'def..', + '...' + ], function(path) { + fileList.changeDirectory(path); + expect(fileList.getCurrentDirectory()).toEqual(path); + }); + }); it('switches to root dir when current directory does not exist', function() { fileList.changeDirectory('/unexist'); deferredList.reject(404); |