From c857935b69bdc0a306f280845bee6d880683232a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn=20Friedrich=20Dreyer?= Date: Tue, 25 Jun 2024 12:50:35 +0200 Subject: [PATCH] also prevent / as filename MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörn Friedrich Dreyer --- internal/http/services/owncloud/ocdav/put.go | 4 ++-- internal/http/services/owncloud/ocdav/validation.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/http/services/owncloud/ocdav/put.go b/internal/http/services/owncloud/ocdav/put.go index c2d38bd89fe..7a617eb41b7 100644 --- a/internal/http/services/owncloud/ocdav/put.go +++ b/internal/http/services/owncloud/ocdav/put.go @@ -114,9 +114,9 @@ func (s *svc) handlePathPut(w http.ResponseWriter, r *http.Request, ns string) { fn := path.Join(ns, r.URL.Path) - sublog := appctx.GetLogger(ctx).With().Str("path", fn).Logger() + sublog := appctx.GetLogger(ctx).With().Str("path", r.URL.Path).Logger() - if err := ValidateName(filepath.Base(fn), s.nameValidators); err != nil { + if err := ValidateName(filepath.Base(r.URL.Path), s.nameValidators); err != nil { w.WriteHeader(http.StatusBadRequest) b, err := errors.Marshal(http.StatusBadRequest, err.Error(), "") errors.HandleWebdavError(&sublog, w, b, err) diff --git a/internal/http/services/owncloud/ocdav/validation.go b/internal/http/services/owncloud/ocdav/validation.go index 07b576feeb2..0b5ee1d4bc4 100644 --- a/internal/http/services/owncloud/ocdav/validation.go +++ b/internal/http/services/owncloud/ocdav/validation.go @@ -42,7 +42,7 @@ func ValidateDestination(name string, validators []Validator) error { func notReserved() Validator { return func(s string) error { - if s == ".." || s == "." { + if s == ".." || s == "." || s == "/" { return errors.New(". and .. are reserved names") } return nil