Merge pull request #53279 from nextcloud/backport/53278/stable30

[stable30] fix(dav): file drop nickname

Author: AndyScherzinger

apps/dav/lib/Files/Sharing/FilesDropPlugin.php

@@ -8,6 +8,7 @@
 
 use OC\Files\View;
 use OCP\Share\IShare;
+use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\Exception\MethodNotAllowed;
 use Sabre\DAV\ServerPlugin;
 use Sabre\HTTP\RequestInterface;
@@ -65,14 +66,28 @@ public function beforeMethod(RequestInterface $request, ResponseInterface $respo
 		// Extract the attributes for the file request
 		$isFileRequest = false;
 		$attributes = $this->share->getAttributes();
-		$nickName = $request->hasHeader('X-NC-Nickname') ? urldecode($request->getHeader('X-NC-Nickname')) : null;
+		$nickName = $request->hasHeader('X-NC-Nickname') ? trim(urldecode($request->getHeader('X-NC-Nickname'))) : null;
 		if ($attributes !== null) {
 			$isFileRequest = $attributes->getAttribute('fileRequest', 'enabled') === true;
 		}
 
 		// We need a valid nickname for file requests
-		if ($isFileRequest && ($nickName == null || trim($nickName) === '')) {
-			throw new MethodNotAllowed('Nickname is required for file requests');
+		if ($isFileRequest && !$nickName) {
+			throw new BadRequest('Nickname is required for file requests');
+		}
+		
+		if ($nickName !== null) {
+			try {
+				$this->view->verifyPath($path, $nickName);
+			} catch (\Exception $e) {
+				// If the path is not valid, we throw an exception
+				throw new BadRequest('Invalid nickname: ' . $nickName);
+			}
+
+			// Forbid nicknames starting with a dot
+			if (str_starts_with($nickName, '.')) {
+				throw new BadRequest('Invalid nickname: ' . $nickName);
+			}
 		}
 
 		// If this is a file request we need to create a folder for the user

apps/files_sharing/src/views/PublicAuthPrompt.vue

@@ -49,13 +49,15 @@
 
 <script lang="ts">
 import { defineComponent } from 'vue'
+import { loadState } from '@nextcloud/initial-state'
 import { t } from '@nextcloud/l10n'
 
 import NcButton from '@nextcloud/vue/dist/Components/NcButton.js'
 import NcDialog from '@nextcloud/vue/dist/Components/NcDialog.js'
 import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
 import NcTextField from '@nextcloud/vue/dist/Components/NcTextField.js'
-import { loadState } from '@nextcloud/initial-state'
+
+import { getFilenameValidity } from '../../../files/src/utils/filenameValidity'
 
 export default defineComponent({
 	name: 'PublicAuthPrompt',
@@ -91,6 +93,21 @@ export default defineComponent({
 		},
 	},
 
+	watch: {
+		name() {
+			// Check validity of the new name
+			const newName = this.name.trim?.() || ''
+			const input = (this.$refs.input as Vue|undefined)?.$el.querySelector('input')
+			if (!input) {
+				return
+			}
+
+			const validity = getFilenameValidity(newName)
+			input.setCustomValidity(validity)
+			input.reportValidity()
+		},
+	},
+
 	beforeMount() {
 		// Pre-load the name from local storage if already set by another app
 		// like Talk, Colabora or Text...

build/integration/filesdrop_features/filesdrop.feature

@@ -47,7 +47,7 @@ Feature: FilesDrop
     And Downloading file "/drop/a.txt"
     Then Downloaded content should be "abc"
 
-  Scenario: Files drop forbis MKCOL
+  Scenario: Files drop forbid MKCOL
     Given user "user0" exists
     And As an "user0"
     And user "user0" created a folder "/drop"
@@ -90,3 +90,42 @@ Feature: FilesDrop
     Then Downloaded content should be "abc"
     And Downloading file "/drop/Mallory/a (2).txt"
     Then Downloaded content should be "def"
+
+  Scenario: Files request drop with invalid nickname with slashes
+    Given user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/drop"
+    And as "user0" creating a share with
+      | path | drop |
+      | shareType | 4 |
+      | permissions | 4 |
+      | attributes | [{"scope":"fileRequest","key":"enabled","value":true}] |
+      | shareWith |  |
+    When Dropping file "/folder/a.txt" with "abc" as "Alice/Bob/Mallory"
+    Then the HTTP status code should be "400"
+
+  Scenario: Files request drop with invalid nickname with forbidden characters
+    Given user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/drop"
+    And as "user0" creating a share with
+      | path | drop |
+      | shareType | 4 |
+      | permissions | 4 |
+      | attributes | [{"scope":"fileRequest","key":"enabled","value":true}] |
+      | shareWith |  |
+    When Dropping file "/folder/a.txt" with "abc" as ".htaccess"
+    Then the HTTP status code should be "400"
+
+  Scenario: Files request drop with invalid nickname with forbidden characters
+    Given user "user0" exists
+    And As an "user0"
+    And user "user0" created a folder "/drop"
+    And as "user0" creating a share with
+      | path | drop |
+      | shareType | 4 |
+      | permissions | 4 |
+      | attributes | [{"scope":"fileRequest","key":"enabled","value":true}] |
+      | shareWith |  |
+    When Dropping file "/folder/a.txt" with "abc" as ".Mallory"
+    Then the HTTP status code should be "400"

dist/2142-2142.js

@@ -8,30 +8,62 @@ SPDX-FileCopyrightText: escape-html developers
 SPDX-FileCopyrightText: assert developers
 SPDX-FileCopyrightText: Tobias Koppers @sokra
 SPDX-FileCopyrightText: Roman Shtylman <[email protected]>
+SPDX-FileCopyrightText: Roeland Jago Douma
 SPDX-FileCopyrightText: Raynos <[email protected]>
 SPDX-FileCopyrightText: Nextcloud GmbH and Nextcloud contributors
 SPDX-FileCopyrightText: Joyent
 SPDX-FileCopyrightText: Jordan Harband <[email protected]>
 SPDX-FileCopyrightText: Jordan Harband
+SPDX-FileCopyrightText: Jonas Schade <[email protected]>
 SPDX-FileCopyrightText: John Molakvoæ (skjnldsv) <[email protected]>
 SPDX-FileCopyrightText: Guillaume Chau <[email protected]>
+SPDX-FileCopyrightText: GitHub Inc.
 SPDX-FileCopyrightText: Evan You
 SPDX-FileCopyrightText: Dr.-Ing. Mario Heiderich, Cure53 <[email protected]> (https://cure53.de/)
 SPDX-FileCopyrightText: David Clark
+SPDX-FileCopyrightText: Christoph Wurst <[email protected]>
 SPDX-FileCopyrightText: Christoph Wurst
 SPDX-FileCopyrightText: Anthony Fu <https://github.com/antfu>
+SPDX-FileCopyrightText: Alkemics
 
 
 This file is generated from multiple sources. Included packages:
+- @nextcloud/auth
+	- version: 2.5.1
+	- license: GPL-3.0-or-later
+- @nextcloud/browser-storage
+	- version: 0.4.0
+	- license: GPL-3.0-or-later
+- @nextcloud/capabilities
+	- version: 1.2.0
+	- license: GPL-3.0-or-later
+- semver
+	- version: 7.6.3
+	- license: ISC
+- @nextcloud/event-bus
+	- version: 3.3.2
+	- license: GPL-3.0-or-later
+- @nextcloud/files
+	- version: 3.10.2
+	- license: AGPL-3.0-or-later
 - @nextcloud/initial-state
 	- version: 2.2.0
 	- license: GPL-3.0-or-later
 - @nextcloud/l10n
 	- version: 3.2.0
 	- license: GPL-3.0-or-later
+- @nextcloud/logger
+	- version: 3.0.2
+	- license: GPL-3.0-or-later
+- @nextcloud/paths
+	- version: 2.2.1
+	- license: GPL-3.0-or-later
 - @nextcloud/router
 	- version: 3.0.1
 	- license: GPL-3.0-or-later
+- @nextcloud/sharing
+	- version: 0.2.4
+	- license: GPL-3.0-or-later
 - @nextcloud/vue
 	- version: 8.27.0
 	- license: AGPL-3.0-or-later
@@ -56,6 +88,9 @@ This file is generated from multiple sources. Included packages:
 - call-bound
 	- version: 1.0.4
 	- license: MIT
+- cancelable-promise
+	- version: 4.3.1
+	- license: MIT
 - console-browserify
 	- version: 1.2.0
 	- license: MIT
@@ -149,6 +184,15 @@ This file is generated from multiple sources. Included packages:
 - object.assign
 	- version: 4.1.7
 	- license: MIT
+- inherits
+	- version: 2.0.3
+	- license: ISC
+- util
+	- version: 0.10.4
+	- license: MIT
+- path
+	- version: 0.12.7
+	- license: MIT
 - possible-typed-array-names
 	- version: 1.0.0
 	- license: MIT
@@ -164,6 +208,9 @@ This file is generated from multiple sources. Included packages:
 - tabbable
 	- version: 6.2.0
 	- license: MIT
+- typescript-event-target
+	- version: 1.1.1
+	- license: MIT
 - util
 	- version: 0.12.5
 	- license: MIT

dist/5315-5315.js.license dist/2142-2142.js.licensedist/5315-5315.js.license renamed to dist/2142-2142.js.license

@@ -0,0 +1 @@
+2142-2142.js.license