Merge pull request #1224 from nextcloud/do-not-allow-linebreak-in-paths

Do not allow linebreaks and null bytes in paths

.gitignore

@@ -107,6 +107,7 @@ nbproject
 /build/lib/
 /build/jsdocs/
 /npm-debug.log
+/PhantomJS_*
 
 # puphpet
 puphpet

apps/files/js/filelist.js

@@ -1407,6 +1407,10 @@
 			return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/');
 		},
 
+		/**
+		 * @param {string} path
+		 * @returns {boolean}
+		 */
 		_isValidPath: function(path) {
 			var sections = path.split('/');
 			for (var i = 0; i < sections.length; i++) {
@@ -1414,7 +1418,9 @@
 					return false;
 				}
 			}
-			return true;
+
+			return path.toLowerCase().indexOf(decodeURI('%0a')) === -1 &&
+				path.toLowerCase().indexOf(decodeURI('%00')) === -1;
 		},
 
 		/**

apps/files/tests/js/filelistSpec.js

@@ -1401,9 +1401,11 @@ describe('OCA.Files.FileList tests', function() {
 				'/abc/..',
 				'/abc/../',
 				'/../abc/',
+				'/foo%0Abar/',
+				'/foo%00bar/',
 				'/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../'
 			], function(path) {
-				fileList.changeDirectory(path);
+				fileList.changeDirectory(decodeURI(path));
 				expect(fileList.getCurrentDirectory()).toEqual('/');
 			});
 		});