Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-16412

resources can't handle file with quote in the ID

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: RESOLVED
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.0, 2.7.1, 2.8.0
    • Fix Version/s: 2.8.0
    • Component/s: Content
    • Labels:
      None
    • CLE Team Issue:
      Yes

      Description

      Using DAV it is possible to create a file with any character in the name. We have to allow this, because DAV expects that any file it stores can be retrieved and will have the same name.

      If you create a file with ' or " in the name, it works OK in DAV, but the normal web interface can't manipulate it. There are various strings in Javascript and attributes using ' ' and " " as delimiters.

      I don't immediately see any way to exploit this, but I worry about possible security implications if you let users put delimiters into strings.

      Patch attached. I've given it some testing, but certainly not extensive.

        Gliffy Diagrams

          Zeplin

            Attachments

              Issue Links

                Activity

                  People

                  Assignee:
                  ottenhoff Sam Ottenhoff
                  Reporter:
                  hedrick Charles Hedrick
                  Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved:

                      Git Integration