From 797e0a614cc44e627a54dfd39ce4047d176ebd9b Mon Sep 17 00:00:00 2001
From: Vincent Petry <pvince81@owncloud.com>
Date: Fri, 10 Jan 2014 16:14:37 +0100
Subject: Added extra checks for invalid file chars in newfile.php and
 newfolder.php

- added PHP utility function to check for file name validity
- fixes issue where a user can create a file called ".." from the files UI
- added extra checks to make sure newfile.php and newfolder.php also
  check for invalid characters
---
 apps/files/ajax/newfile.php | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'apps/files/ajax/newfile.php')

diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php
index 1853098c507..0187b200759 100644
--- a/apps/files/ajax/newfile.php
+++ b/apps/files/ajax/newfile.php
@@ -50,16 +50,22 @@ $l10n = \OC_L10n::get('files');
 $result = array(
 	'success' 	=> false,
 	'data'		=> NULL
-	);
+);
+$trimmedFileName = trim($filename);
 
-if(trim($filename) === '') {
+if($trimmedFileName === '') {
 	$result['data'] = array('message' => (string)$l10n->t('File name cannot be empty.'));
 	OCP\JSON::error($result);
 	exit();
 }
+if($trimmedFileName === '.' || $trimmedFileName === '..') {
+	$result['data'] = array('message' => (string)$l10n->t('"%s" is an invalid file name.', $trimmedFileName));
+	OCP\JSON::error($result);
+	exit();
+}
 
-if(strpos($filename, '/') !== false) {
-	$result['data'] = array('message' => (string)$l10n->t('File name must not contain "/". Please choose a different name.'));
+if(!OCP\Util::isValidFileName($filename)) {
+	$result['data'] = array('message' => (string)$l10n->t("Invalid name, '\\', '/', '<', '>', ':', '\"', '|', '?' and '*' are not allowed."));
 	OCP\JSON::error($result);
 	exit();
 }
-- 
cgit v1.2.3