Skip to content

Commit

Permalink
also prevent / as filename
Browse files Browse the repository at this point in the history
Signed-off-by: Jörn Friedrich Dreyer <[email protected]>
  • Loading branch information
butonic committed Jun 25, 2024
1 parent 24ca4f8 commit c857935
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
4 changes: 2 additions & 2 deletions internal/http/services/owncloud/ocdav/put.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,9 +114,9 @@ func (s *svc) handlePathPut(w http.ResponseWriter, r *http.Request, ns string) {

fn := path.Join(ns, r.URL.Path)

sublog := appctx.GetLogger(ctx).With().Str("path", fn).Logger()
sublog := appctx.GetLogger(ctx).With().Str("path", r.URL.Path).Logger()

if err := ValidateName(filepath.Base(fn), s.nameValidators); err != nil {
if err := ValidateName(filepath.Base(r.URL.Path), s.nameValidators); err != nil {
w.WriteHeader(http.StatusBadRequest)
b, err := errors.Marshal(http.StatusBadRequest, err.Error(), "")
errors.HandleWebdavError(&sublog, w, b, err)
Expand Down
2 changes: 1 addition & 1 deletion internal/http/services/owncloud/ocdav/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ func ValidateDestination(name string, validators []Validator) error {

func notReserved() Validator {
return func(s string) error {
if s == ".." || s == "." {
if s == ".." || s == "." || s == "/" {
return errors.New(". and .. are reserved names")
}
return nil
Expand Down

0 comments on commit c857935

Please sign in to comment.