From 063c9accb6772001ade8bea1251cd0d9bd000e15 Mon Sep 17 00:00:00 2001
From: Robin Appelman <icewind@owncloud.com>
Date: Wed, 6 Jun 2012 00:02:13 +0200
Subject: [PATCH] prevent creating files with a / the name

---
 apps/files/ajax/newfile.php   | 4 ++++
 apps/files/ajax/newfolder.php | 4 ++++
 apps/files/js/files.js        | 5 +++++
 3 files changed, 13 insertions(+)

diff --git a/apps/files/ajax/newfile.php b/apps/files/ajax/newfile.php
index 316eac0562..edb7841487 100644
--- a/apps/files/ajax/newfile.php
+++ b/apps/files/ajax/newfile.php
@@ -15,6 +15,10 @@ if($filename == '') {
 	OCP\JSON::error(array("data" => array( "message" => "Empty Filename" )));
 	exit();
 }
+if(strpos($filename,'/')!==false){
+	OCP\JSON::error(array("data" => array( "message" => "Invalid Filename" )));
+	exit();
+}
 
 if($source){
 	if(substr($source,0,8)!='https://' and substr($source,0,7)!='http://'){
diff --git a/apps/files/ajax/newfolder.php b/apps/files/ajax/newfolder.php
index 512e0e1f6d..0668a6191f 100644
--- a/apps/files/ajax/newfolder.php
+++ b/apps/files/ajax/newfolder.php
@@ -13,6 +13,10 @@ if(trim($foldername) == '') {
 	OCP\JSON::error(array("data" => array( "message" => "Empty Foldername" )));
 	exit();
 }
+if(strpos($filename,'/')!==false){
+	OCP\JSON::error(array("data" => array( "message" => "Invalid Foldername" )));
+	exit();
+}
 
 if(OC_Files::newFile($dir, stripslashes($foldername), 'dir')) {
 	OCP\JSON::success(array("data" => array()));
diff --git a/apps/files/js/files.js b/apps/files/js/files.js
index 40d5be2214..db29b22275 100644
--- a/apps/files/js/files.js
+++ b/apps/files/js/files.js
@@ -448,6 +448,11 @@ $(document).ready(function() {
 		input.focus();
 		input.change(function(){
 			var name=$(this).val();
+			if(name.indexOf('/')!=-1){
+				$('#notification').text(t('files','Invalid name, \'/\' is not allowed.'));
+				$('#notification').fadeIn();
+				return;
+			}
 			switch(type){
 				case 'file':
 					$.post(
-- 
GitLab