Files island: path-traversal, no delete/paste confirms, silent WebDAV failures #107

New issue

Open

opened 2026-04-21 15:23:58 +00:00 by zaelgohary · 0 comments

zaelgohary commented

2026-04-21 15:23:58 +00:00

Member

Bugs

Path traversal unchecked on upload, rename, and new-folder. User types ../.. and the operation hits WebDAV as-is.
Paste and duplicate fire immediately with no confirmation. Easy to clobber files with a stray right-click.
Empty forge_url = silent failure. Every WebDAV call builds a client without checking the URL is set; if forge isn't reachable you get no error, just nothing happens.
PDF preview iframe passes download_url() straight into src= with no validation.
Mobile download path is a // TODO that just logs.

Why it matters

The first three are real footguns users can hit by accident. The iframe and mobile TODO are lower priority cleanup.

### Bugs - **Path traversal unchecked** on upload, rename, and new-folder. User types `../..` and the operation hits WebDAV as-is. - **Paste and duplicate fire immediately** with no confirmation. Easy to clobber files with a stray right-click. - **Empty `forge_url` = silent failure.** Every WebDAV call builds a client without checking the URL is set; if forge isn't reachable you get no error, just nothing happens. - **PDF preview iframe** passes `download_url()` straight into `src=` with no validation. - Mobile download path is a `// TODO` that just logs. ### Why it matters The first three are real footguns users can hit by accident. The iframe and mobile TODO are lower priority cleanup.