Added file name check in webdav connector

- added file name check for the put, rename and setNames() methods which
  throw a "Bad Request" whenever invalid characters are used
- replaced \OC\Filesystem usage with $this->getFS() to be able to write
  unit tests

1 files changed, 7 insertions, 2 deletions

diff --git a/lib/private/connector/sabre/node.php b/lib/private/connector/sabre/node.php
index 993aa73faeb..bf7a04f5b13 100644
--- a/lib/private/connector/sabre/node.php
+++ b/lib/private/connector/sabre/node.php
@@ -85,19 +85,24 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 * @return void
 	 */
 	public function setName($name) {
+		$fs = $this->getFS();
 
 		// rename is only allowed if the update privilege is granted
-		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+		if (!$fs->isUpdatable($this->path)) {
 			throw new \Sabre_DAV_Exception_Forbidden();
 		}
 
 		list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
 		list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
 
+		if (!\OCP\Util::isValidFileName($newName)) {
+			throw new \Sabre_DAV_Exception_BadRequest();
+		}
+
 		$newPath = $parentPath . '/' . $newName;
 		$oldPath = $this->path;
 
-		\OC\Files\Filesystem::rename($this->path, $newPath);
+		$fs->rename($this->path, $newPath);
 
 		$this->path = $newPath;