diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2016-07-06 11:55:02 +0200 |
|---|---|---|
| committer | Thomas Müller <thomas.mueller@tmit.eu> | 2016-07-06 12:01:23 +0200 |
| commit | e2dbc0d0e6b8c5f26609e79614dfeb338f05b03b (patch) | |
| tree | a42c012b6dfe10716d2a0b6e1bda0203a9f026c9 /apps | |
| parent | 19cf727a0f055246c83317ff745b2a64a414b063 (diff) | |
| download | nextcloud-server-e2dbc0d0e6b8c5f26609e79614dfeb338f05b03b.tar.gz nextcloud-server-e2dbc0d0e6b8c5f26609e79614dfeb338f05b03b.zip | |
Ignore invalid paths in the JS file list (#25368)
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/files/js/filelist.js | 14 | ||||
| -rw-r--r-- | apps/files/tests/js/filelistSpec.js | 25 |
2 files changed, 39 insertions, 0 deletions
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js index 690e5e70fdb..7a7d26eed7c 100644 --- a/apps/files/js/filelist.js +++ b/apps/files/js/filelist.js @@ -1397,6 +1397,16 @@ return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/'); }, + _isValidPath: function(path) { + var sections = path.split('/'); + for (var i = 0; i < sections.length; i++) { + if (sections[i] === '..') { + return false; + } + } + return true; + }, + /** * Sets the current directory name and updates the breadcrumb. * @param targetDir directory to display @@ -1405,6 +1415,10 @@ */ _setCurrentDir: function(targetDir, changeUrl, fileId) { targetDir = targetDir.replace(/\\/g, '/'); + if (!this._isValidPath(targetDir)) { + targetDir = '/'; + changeUrl = true; + } var previousDir = this.getCurrentDirectory(), baseDir = OC.basename(targetDir); diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js index a74e1c7328c..d8d3057ec3e 100644 --- a/apps/files/tests/js/filelistSpec.js +++ b/apps/files/tests/js/filelistSpec.js @@ -1334,6 +1334,31 @@ describe('OCA.Files.FileList tests', function() { fileList.changeDirectory('/another\\subdir'); expect(fileList.getCurrentDirectory()).toEqual('/another/subdir'); }); + it('switches to root dir when current directory is invalid', function() { + _.each([ + '..', + '/..', + '../', + '/../', + '/../abc', + '/abc/..', + '/abc/../', + '/../abc/' + ], function(path) { + fileList.changeDirectory(path); + expect(fileList.getCurrentDirectory()).toEqual('/'); + }); + }); + it('allows paths with dotdot at the beginning or end', function() { + _.each([ + '..abc', + 'def..', + '...' + ], function(path) { + fileList.changeDirectory(path); + expect(fileList.getCurrentDirectory()).toEqual(path); + }); + }); it('switches to root dir when current directory does not exist', function() { fileList.changeDirectory('/unexist'); deferredList.reject(404); |