From 51e68729de3402fd7bc90e123c432538659b6b31 Mon Sep 17 00:00:00 2001
From: Robin Appelman <icewind1991@gmail.com>
Date: Fri, 30 Sep 2011 10:57:39 +0200
Subject: [PATCH] escape file and directory names when downloading files

---
 files/js/fileactions.js       | 2 +-
 files/templates/part.list.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/files/js/fileactions.js b/files/js/fileactions.js
index ddb16ecd5f..0089c235eb 100644
--- a/files/js/fileactions.js
+++ b/files/js/fileactions.js
@@ -125,7 +125,7 @@ FileActions={
 }
 
 FileActions.register('all','Download',function(){return OC.imagePath('core','actions/download')},function(filename){
-	window.location='ajax/download.php?files='+filename+'&dir='+$('#dir').val();
+	window.location='ajax/download.php?files='+encodeURIComponent(filename)+'&dir='+encodeURIComponent($('#dir').val());
 });
 
 FileActions.register('all','Delete',function(){return OC.imagePath('core','actions/delete')},function(filename){
diff --git a/files/templates/part.list.php b/files/templates/part.list.php
index 398094f56d..6bf5efe2fb 100644
--- a/files/templates/part.list.php
+++ b/files/templates/part.list.php
@@ -8,7 +8,7 @@
 			<tr data-file="<?php echo $file['name'];?>" data-type="<?php echo ($file['type'] == 'dir')?'dir':'file'?>" data-mime="<?php echo $file['mime']?>" data-size='<?php echo $file['size'];?>'>
 				<td class="filename svg" style="background-image:url(<?php if($file['type'] == 'dir') echo mimetype_icon('dir'); else echo mimetype_icon($file['mime']); ?>)">
 					<?php if(!isset($_['readonly']) || !$_['readonly']) { ?><input type="checkbox" /><?php } ?>
-					<a class="name" href="<?php if($file['type'] == 'dir') echo $_['baseURL'].$file['directory'].'/'.$file['name']; else echo $_['downloadURL'].$file['directory'].'/'.$file['name']; ?>" title="">
+					<a class="name" href="<?php if($file['type'] == 'dir') echo $_['baseURL'].$file['directory'].'/'.$file['name']; else echo $_['downloadURL'].urlencode($file['directory']).'/'.urlencode($file['name']); ?>" title="">
 					<span class="nametext">
 						<?php if($file['type'] == 'dir'):?>
 							<?php echo htmlspecialchars($file['name']);?>
-- 
GitLab