* @param _folderName the name of the folder to create\r
*/\r
private void createFolder() {\r
+ String name = folderName.getText();\r
+ if (!GSS.isValidResourceName(name)) {\r
+ GSS.get().displayError("The folder name '" + name + "' is invalid");\r
+ return;\r
+ }\r
PostCommand ep = new PostCommand(folder.getUri() + "?new=" +\r
- URL.encodeComponent(folderName.getText()), "", 201) {\r
+ URL.encodeComponent(name), "", 201) {\r
\r
@Override\r
public void onComplete() {\r
return tokenInput;
}
+
+ /**
+ * Reject illegal resource names, like '.' or '..'.
+ */
+ static boolean isValidResourceName(String name) {
+ if (".".equals(name) || "..".equals(name))
+ return false;
+ return true;
+ }
+
+
}
startIndex = 0;
app.showLoadingIndicator();
if (query == null || query.trim().equals("")) {
- searchResults.setHTML("You must specify a query");
+ searchResults.setHTML("You must specify a query.");
+ setFiles(new ArrayList());
+ update(true);
+ app.hideLoadingIndicator();
+ } else if (!GSS.isValidResourceName(query)) {
+ searchResults.setHTML("The query was invalid. Try to use words that appear in the file's name, contents or tags.");
setFiles(new ArrayList());
update(true);
app.hideLoadingIndicator();
}
String newName = req.getParameter(NEW_FOLDER_PARAMETER);
+ if (!isValidResourceName(newName)) {
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ return;
+ }
boolean hasUpdateParam = req.getParameterMap().containsKey(RESOURCE_UPDATE_PARAMETER);
boolean hasTrashParam = req.getParameterMap().containsKey(RESOURCE_TRASH_PARAMETER);
boolean hasRestoreParam = req.getParameterMap().containsKey(RESOURCE_RESTORE_PARAMETER);
if (path.equals("/")) {
// Request to add group
final String group = req.getParameter(GROUP_PARAMETER);
+ if (!isValidResourceName(group)) {
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ return;
+ }
if (logger.isDebugEnabled())
logger.debug("Adding group " + group);
new TransactionHelper<Void>().tryExecute(new Callable<Void>() {
} else {
// Request to add group member
String username = req.getParameter(USERNAME_PARAMETER);
+ if (!isValidResourceName(username)) {
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ return;
+ }
// Chop any trailing slash
path = path.endsWith("/")? path.substring(0, path.length()-1): path;
// Chop any leading slash
return result;
}
+
+ /**
+ * Reject illegal resource names, like '.' or '..'.
+ */
+ protected boolean isValidResourceName(String name) {
+ if (".".equals(name) || "..".equals(name))
+ return false;
+ return true;
+ }
}
String path = getInnerPath(req, PATH_SEARCH);
if (path.equals(""))
path = "/";
+ if (!isValidResourceName(path)) {
+ resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
+ return;
+ }
if (!path.equals("/"))
try {