diff --git a/Gemfile b/Gemfile
index 146097c2..1104711a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -48,6 +48,7 @@ gem 'acme-client', {
branch: 'no_activesupport'
}
gem 'http'
+gem 'htmlentities'
platform :mri, :rbx do
gem 'magic' # sudo apt-get install file, For OSX: brew install libmagic
diff --git a/Gemfile.lock b/Gemfile.lock
index 7c29ab70..968bb56e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -97,6 +97,7 @@ GEM
hiredis (0.6.1)
hoe (3.14.2)
rake (>= 0.8, < 11.0)
+ htmlentities (4.3.4)
http (2.0.1)
addressable (~> 2.3)
http-cookie (~> 1.0)
@@ -287,6 +288,7 @@ DEPENDENCIES
geoip
hiredis
hoe (= 3.14.2)
+ htmlentities
http
io-extra
jdbc-postgres
diff --git a/app/site_files.rb b/app/site_files.rb
index c90e8a12..2df30ac9 100644
--- a/app/site_files.rb
+++ b/app/site_files.rb
@@ -134,10 +134,11 @@ end
post '/site_files/delete' do
require_login
- current_site.delete_file params[:filename]
+ path = HTMLEntities.new.decode params[:filename]
+ current_site.delete_file path
flash[:success] = "Deleted #{params[:filename]}. Please note it can take up to 30 minutes for deleted files to stop being viewable on your site."
- dirname = Pathname(params[:filename]).dirname
+ dirname = Pathname(path).dirname
dir_query = dirname.nil? || dirname.to_s == '.' ? '' : "?dir=#{Rack::Utils.escape dirname}"
redirect "/dashboard#{dir_query}"
diff --git a/tests/site_file_tests.rb b/tests/site_file_tests.rb
index 9141dba1..3c8d808b 100644
--- a/tests/site_file_tests.rb
+++ b/tests/site_file_tests.rb
@@ -69,6 +69,16 @@ describe 'site_files' do
@site.reload.site_files.select {|f| f.path =~ /#{Regexp.quote '8)'}/}.length.must_equal 0
end
+ it 'deletes with escaped apostrophe' do
+ upload(
+ 'dir' => "test'ing",
+ 'files[]' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg')
+ )
+ @site.reload.site_files.select {|s| s.path == "test'ing"}.length.must_equal 1
+ delete_file filename: "test'ing"
+ @site.reload.site_files.select {|s| s.path == "test'ing"}.length.must_equal 0
+ end
+
it 'deletes a directory and all files in it' do
upload(
'dir' => 'test',
diff --git a/views/dashboard.erb b/views/dashboard.erb
index bc1b855d..c925734f 100644
--- a/views/dashboard.erb
+++ b/views/dashboard.erb
@@ -167,7 +167,7 @@
Manage
<% end %>
<% if !file[:is_root_index] %>
- ')"> Delete
+ ')"> Delete
<% end %>
<% if file[:is_directory] %>