Before any upload is submitted the upload is registered in a list of
known uploads; this is needed to retrieve the upload object at several
points of the upload process. When a chunked upload is submitted first a
directory to upload all the chunks is created and, once that is done,
the chunks are sent; in order to send a chunk the upload object needs to
be retrieved from the list of known uploads.
When all the active uploads were finished the list of known uploads was
cleared. However, an upload is not active until it actually starts
sending the data, so while waiting for the upload directory to be
created the upload is already in the list of known uploads yet not
active. Due to all this, if the active uploads finished while another
pending upload was waiting for the upload directory to be created that
pending upload would be removed from the list of known uploads too, and
once the directory was created and thus the chunks were sent a field of
a null upload object would be accessed thus causing a failure.
Instead of removing all the known uploads at once when the active
uploads finish now each upload is explicitly removed when it finishes.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The escaping of special characters was needed when the ids of the
permission checkboxes for shares were based on the "shareWith" field.
Since they are based on the "shareId" field the escaping is no longer
needed, as the "sharedId" is expected to always contain compatible
characters.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The ids of permission checkboxes for shares were generated using the
"shareWith" field of the share. The "shareWith" field can contain spaces
(as spaces are allowed, for example, in user or circle names), so this
could cause the id attribute of the HTML element to contain spaces too,
which is forbidden by the HTML specification.
It is not just a "formal" issue, though; when the list was rendered, if
the id contained a space the selector to get the checkbox element was
wrong (as it ended being something like
"#canEdit-view1-name with spaces") and thus the initial state of the
checkbox was not properly set.
Besides that, "shareWith" can contain too single quotes, which would
even cause the jQuery selector to abort the search and leave the UI in
an invalid state.
Instead of adding more cases to the regular expression to escape special
characters and apply it too when the ids are created now the ids of
permission checkboxes for shares are based on the "shareId" field
instead of on "shareWith", as "shareId" is expected to always contain
compatible characters.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
The offset is based on the last known comment instead of limit-offset,
so new comments don't mess up requests which get the history of an object-
Signed-off-by: Joas Schilling <coding@schilljs.com>
Before there was a button to "quickly" add the untrusted domain to the config. This button often didn't worked, because the generated URL was often untrusted as well. Thus removing it and providing proper docs seems to be the better approach to handle this rare case.
Also the log should not be spammed by messages for the untrusted domain accesses, because they are user related and not necessarily an administrative issue.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
We added a special `func()` method to the query builder, which is a plain text function by definition. It uses the string and does no escaping on purpose. It has the potential for an injection but requiring to add the "supress warning" to all surrounding code makes it harder to spot actual problems, that this plugin want to find. So it's better to only need to check the func() and not all the surrounding code as well.
Signed-off-by: Morris Jobke <hey@morrisjobke.de>