Skip to content

Commit

Permalink
fix(files): disallow illegal characters
Browse files Browse the repository at this point in the history 
Signed-off-by: John Molakvoæ (skjnldsv) <[email protected]>
  • Loading branch information
@skjnldsv
skjnldsv committed Sep 22, 2023
1 parent 7755c92 commit d544b46
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
4 changes: 4 additions & 0 deletions apps/files/lib/Controller/ViewController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,10 @@ public function index($dir = '', $view = '', $fileid = null, $fileNotFound = fal
$filesSortingConfig = json_decode($this->config->getUserValue($userId, 'files', 'files_sorting_configs', '{}'), true);
$this->initialState->provideInitialState('filesSortingConfig', $filesSortingConfig);

// Forbidden file characters
$forbiddenChars = ['?', '<', '>', ':', '*', '|', '"', chr(0), "\n", "\r"];
$this->initialState->provideInitialState('forbiddenCharacters', $forbiddenChars);

$event = new LoadAdditionalScriptsEvent();
$this->eventDispatcher->dispatchTyped($event);
$this->eventDispatcher->dispatchTyped(new ResourcesLoadAdditionalScriptsEvent());
Expand Down
6 changes: 6 additions & 0 deletions apps/files/src/components/FileEntry.vue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -231,12 +231,15 @@ import CustomElementRender from './CustomElementRender.vue'
import CustomSvgIconRender from './CustomSvgIconRender.vue'
import FavoriteIcon from './FavoriteIcon.vue'
import logger from '../logger.js'
import { loadState } from '@nextcloud/initial-state'
// The registered actions list
const actions = getFileActions()
Vue.directive('onClickOutside', vOnClickOutside)
const forbiddenCharacters = loadState('files', 'forbiddenCharacters', [])
export default Vue.extend({
name: 'FileEntry',
Expand Down Expand Up @@ -786,6 +789,9 @@ export default Vue.extend({
throw new Error(this.t('files', 'File name cannot be empty.'))
} else if (trimmedName.indexOf('/') !== -1) {
throw new Error(this.t('files', '"/" is not allowed inside a file name.'))
} else if (forbiddenCharacters.some(char => trimmedName.indexOf(char) !== -1)) {
const char = forbiddenCharacters.find(char => trimmedName.indexOf(char) !== -1)
throw new Error(this.t('files', '"{char}" is not allowed inside a file name.', { char }))
} else if (trimmedName.match(OC.config.blacklist_files_regex)) {
throw new Error(this.t('files', '"{name}" is not an allowed filetype.', { name }))
} else if (this.checkIfNodeExists(name)) {
Expand Down

0 comments on commit d544b46

Please sign in to comment.