Skip to content
Permalink
Browse files

Exclude more invalid chars from files UI path

Prevent newlines and zero byte chars to be used in files UI URL and
redirect to root if one is detected.

Added additional hardening in case the request fails with 400 or the
XMLHttpRequest throw a DOMException, both can happen with invalid paths
as well.
  • Loading branch information...
PVince81 committed Oct 24, 2016
1 parent 2b3b8af commit 768221fcf3c526c65d85f62b0efa2da5ea00bf2d
Showing with 34 additions and 8 deletions.
  1. +25 −7 apps/files/js/filelist.js
  2. +9 −1 apps/files/tests/js/filelistSpec.js
@@ -1402,11 +1402,18 @@

_isValidPath: function(path) {
var sections = path.split('/');
for (var i = 0; i < sections.length; i++) {
var i;
for (i = 0; i < sections.length; i++) {
if (sections[i] === '..') {
return false;
}
}
var specialChars = [decodeURIComponent('%00'), decodeURIComponent('%0A')];
for (i = 0; i < specialChars.length; i++) {
if (path.indexOf(specialChars[i]) !== -1) {
return false;
}
}
return true;
},

@@ -1419,6 +1426,7 @@
_setCurrentDir: function(targetDir, changeUrl, fileId) {
targetDir = targetDir.replace(/\\/g, '/');
if (!this._isValidPath(targetDir)) {
OC.Notification.showTemporary(t('files', 'Invalid path'));
targetDir = '/';
changeUrl = true;
}
@@ -1521,12 +1529,22 @@
this._currentFileModel = null;
this.$el.find('.select-all').prop('checked', false);
this.showMask();
this._reloadCall = this.filesClient.getFolderContents(
this.getCurrentDirectory(), {
includeParent: true,
properties: this._getWebdavProperties()
try {
this._reloadCall = this.filesClient.getFolderContents(
this.getCurrentDirectory(), {
includeParent: true,
properties: this._getWebdavProperties()
}
);
} catch (e) {
if (e instanceof DOMException) {
console.error(e);
this.changeDirectory('/');
OC.Notification.showTemporary(t('files', 'Invalid path'));
return;
}
);
throw e;
}
if (this._detailsView) {
// close sidebar
this._updateDetailsView(null);
@@ -1543,7 +1561,7 @@
}

// Firewall Blocked request?
if (status === 403) {
if (status === 403 || status === 400) {
// Go home
this.changeDirectory('/');
OC.Notification.showTemporary(t('files', 'This operation is forbidden'));
@@ -1400,7 +1400,9 @@ describe('OCA.Files.FileList tests', function() {
'/../abc',
'/abc/..',
'/abc/../',
'/../abc/'
'/../abc/',
'/zero' + decodeURIComponent('%00') + 'byte/',
'/really who adds new' + decodeURIComponent('%0A') + 'lines in their paths/',
], function(path) {
fileList.changeDirectory(path);
expect(fileList.getCurrentDirectory()).toEqual('/');
@@ -1416,6 +1418,12 @@ describe('OCA.Files.FileList tests', function() {
expect(fileList.getCurrentDirectory()).toEqual(path);
});
});
it('switches to root dir in case of bad request', function() {
fileList.changeDirectory('/unexist');
// can happen in case of invalid chars in the URL
deferredList.reject(400);
expect(fileList.getCurrentDirectory()).toEqual('/');
});
it('switches to root dir when current directory does not exist', function() {
fileList.changeDirectory('/unexist');
deferredList.reject(404);

0 comments on commit 768221f

Please sign in to comment.
You can’t perform that action at this time.