Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CLOSED] Fix #13099: Disallow user to create files/folder using relative path #11240

Open
core-ai-bot opened this issue Aug 30, 2021 · 8 comments
Open

[CLOSED] Fix #13099: Disallow user to create files/folder using relative path #11240

core-ai-bot opened this issue Aug 30, 2021 · 8 comments

Comments

@core-ai-bot
Copy link
Member

Issue by sdalmeida
Sunday Apr 02, 2017 at 16:45 GMT
Originally opened as adobe/brackets#13256

This is a Work In Progress PR referring to original issue adobe#13099
Before this PR can be landed, it would be nice to know which chars are actually invalid.

These are the chars that I'm invalidating:

  • \?
  • \\
  • \*
  • \.{2,} <-- .. or more should not be allowed, but allow .
  • \.$ <-- allow a file to have . but not end with .
  • \/
  • \|
  • \>
  • \<

I also have to add a unit test for this case.
Let me know if there are any chars that need to be added/removed.

sdalmeida included the following code: https://github.com/adobe/brackets/pull/13256/commits
@core-ai-bot
Copy link
Member Author

Comment by swmitra
Sunday Apr 02, 2017 at 17:13 GMT

@simon66 I still have the same confusion regarding invalid character handling code. Part of the reason is the way file names get validated by the OS, it's quite different in case of windows and osx. Not sure whether we can have a common regex validator as that would limit the file naming capability in either of the platform.

@core-ai-bot
Copy link
Member Author

Comment by swmitra
Sunday Apr 02, 2017 at 17:18 GMT

What we can think about is, predominantly the projects being worked upon are web projects in Brackets. Eventually these files will be served and loaded in browser shells. What kind of restrictions do we have in the file names while serving them over network. Just thinking loud, may be not valid in this context.

@core-ai-bot
Copy link
Member Author

Comment by sdalmeida
Sunday Apr 02, 2017 at 17:28 GMT

Another confusion of mine is why are these filenames considered "bad"

screen shot 2017-04-02 at 1 23 23 pm

Why is com a valid filename and com1 not?
Also, I don't see why any of these file names are labelled as invalid.
Any ideas@tallandroid?

@core-ai-bot
Copy link
Member Author

Comment by sdalmeida
Sunday Apr 02, 2017 at 17:37 GMT

@swmitra I think that no matter where this code lives (MacOS, Windows, Linux), those chars should be invalid. I'm not too sure why we should allow < or > on a linux env but not on Windows (Even though that char should be invalid on both OS.
But then again, which chars are invalid and which should not be.

@core-ai-bot
Copy link
Member Author

Comment by sdalmeida
Sunday Apr 02, 2017 at 19:32 GMT

I've changed the function isValidFilename to disallow any file name that contains folder structure (like tmp\file.log) and I created a new function to check if full pathname is valid. I've also added some test cases.

@core-ai-bot
Copy link
Member Author

Comment by sdalmeida
Monday Apr 24, 2017 at 21:41 GMT

@humphd Done 👍

@core-ai-bot
Copy link
Member Author

Comment by sdalmeida
Thursday Feb 08, 2018 at 04:19 GMT

Hi@swmitra
I want to follow up on the status of this PR. I see that the code was approved but the PR is still open. There are many forked projects that might benefit from this bug fix 👍
Thanks :)

@core-ai-bot
Copy link
Member Author

Comment by nethip
Tuesday Feb 20, 2018 at 04:58 GMT

Thanks for your contributions@simon66 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@core-ai-bot