From ed0f0db5fa0aff04594cb0f973ae4c22b17a175a Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 1 Sep 2016 10:06:06 +0200
Subject: [PATCH 1/3] Filter out %0A from paths

---
 apps/files/js/filelist.js           | 7 ++++++-
 apps/files/tests/js/filelistSpec.js | 3 ++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 14a5edb2d701d..32de261ea6244 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1400,6 +1400,10 @@
 			return OC.linkTo('files', 'index.php')+"?dir="+ encodeURIComponent(dir).replace(/%2F/g, '/');
 		},
 
+		/**
+		 * @param {string} path
+		 * @returns {boolean}
+		 */
 		_isValidPath: function(path) {
 			var sections = path.split('/');
 			for (var i = 0; i < sections.length; i++) {
@@ -1407,7 +1411,8 @@
 					return false;
 				}
 			}
-			return true;
+
+			return path.toLowerCase().indexOf(decodeURI('%0a')) === -1;
 		},
 
 		/**
diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js
index 99a2ff9a5e20a..fd11a58b68ce1 100644
--- a/apps/files/tests/js/filelistSpec.js
+++ b/apps/files/tests/js/filelistSpec.js
@@ -1379,9 +1379,10 @@ describe('OCA.Files.FileList tests', function() {
 				'/abc/..',
 				'/abc/../',
 				'/../abc/',
+				'/foo%0Abar/',
 				'/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../'
 			], function(path) {
-				fileList.changeDirectory(path);
+				fileList.changeDirectory(decodeURI(path));
 				expect(fileList.getCurrentDirectory()).toEqual('/');
 			});
 		});

From c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 1 Sep 2016 12:24:14 +0200
Subject: [PATCH 2/3] Also prevent null byte character

---
 apps/files/js/filelist.js           | 3 ++-
 apps/files/tests/js/filelistSpec.js | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js
index 32de261ea6244..607c82b7d226c 100644
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -1412,7 +1412,8 @@
 				}
 			}
 
-			return path.toLowerCase().indexOf(decodeURI('%0a')) === -1;
+			return path.toLowerCase().indexOf(decodeURI('%0a')) === -1 &&
+				path.toLowerCase().indexOf(decodeURI('%00')) === -1;
 		},
 
 		/**
diff --git a/apps/files/tests/js/filelistSpec.js b/apps/files/tests/js/filelistSpec.js
index fd11a58b68ce1..82b70141b72bf 100644
--- a/apps/files/tests/js/filelistSpec.js
+++ b/apps/files/tests/js/filelistSpec.js
@@ -1380,6 +1380,7 @@ describe('OCA.Files.FileList tests', function() {
 				'/abc/../',
 				'/../abc/',
 				'/foo%0Abar/',
+				'/foo%00bar/',
 				'/another\\subdir/../foo\\../bar\\..\\file/..\\folder/../'
 			], function(path) {
 				fileList.changeDirectory(decodeURI(path));

From df50e967dbd27b13875625b7dd3189294619b071 Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Thu, 1 Sep 2016 10:17:15 +0200
Subject: [PATCH 3/3] Add PhantomJS to gitignore

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 63a34beb978d4..0811a12f44bab 100644
--- a/.gitignore
+++ b/.gitignore
@@ -107,6 +107,7 @@ nbproject
 /build/lib/
 /build/jsdocs/
 /npm-debug.log
+/PhantomJS_*
 
 # puphpet
 puphpet