Moved rietveld issue 43001 Protect against invalid file names to github

appinventor/appengine/src/com/google/appinventor/client/OdeMessages.java

@@ -881,6 +881,10 @@ public interface OdeMessages extends Messages {
   @Description("Error message when file name contains characters that would require URL encoding.")
   String malformedFilename();
 
+  @DefaultMessage("File names must be between 1 and 100 characters.")
+  @Description("Error message when filenames are 0 or 101+ characters long")
+  String filenameBadSize();
+  
   @DefaultMessage("Uploading {0} to the App Inventor server")
   @Description("Message displayed when an asset is uploaded.")
   String fileUploadingMessage(String filename);

appinventor/appengine/src/com/google/appinventor/client/wizards/FileUploadWizard.java

@@ -11,6 +11,7 @@ import com.google.appinventor.client.explorer.project.Project;
 import com.google.appinventor.client.output.OdeLog;
 import com.google.appinventor.client.utils.Uploader;
 import com.google.appinventor.client.youngandroid.CodeblocksManager;
+import com.google.appinventor.client.youngandroid.TextValidators;
 import com.google.appinventor.shared.rpc.ServerLayout;
 import com.google.appinventor.shared.rpc.UploadResponse;
 import com.google.appinventor.shared.rpc.project.FileNode;
@@ -79,9 +80,12 @@ public class FileUploadWizard extends Wizard {
         String uploadFilename = upload.getFilename();
         if (!uploadFilename.isEmpty()) {
           final String filename = makeValidFilename(uploadFilename);
-          if(filename.contains("'")||!filename.equals(URL.encodeComponent(filename))){
+          if(!TextValidators.isValidCharFilename(filename)){
             Window.alert(MESSAGES.malformedFilename());
             return;
+          } else if (!TextValidators.isValidLengthFilename(filename)){
+            Window.alert(MESSAGES.filenameBadSize());
+            return;
           }
           if (fileAlreadyExists(folderNode, filename)) {
             if (!confirmOverwrite(folderNode, filename)) {

appinventor/appengine/src/com/google/appinventor/client/youngandroid/TextValidators.java

@@ -4,12 +4,16 @@ package com.google.appinventor.client.youngandroid;
 
 import com.google.appinventor.client.Ode;
 import static com.google.appinventor.client.Ode.MESSAGES;
+
+import com.google.gwt.http.client.URL;
 import com.google.gwt.user.client.Window;
 
 /**
  */
 public final class TextValidators {
 
+  private static final int MAX_FILENAME_SIZE = 100;
+  private static final int MIN_FILENAME_SIZE = 1;
   // This class should never be instantiated.
   private TextValidators() {}
 
@@ -51,4 +55,33 @@ public final class TextValidators {
   public static boolean isValidIdentifier(String text) {
     return text.matches("^[a-zA-Z]\\w*$");
   }
+  
+  /**
+   * Checks whether the argument is a legal filename, meaning
+   * it is unchanged by URL encoding and it meets the aapt
+   * requirements as follows:
+   * - all characters must be 7-bit printable ASCII
+   * - none of { '/' '\\' ':' }
+   * @param filename The filename (not path) of uploaded file
+   * @return {@code true} if the argument is a legal filename, {@code false}
+   *         otherwise
+   */
+  public static boolean isValidCharFilename(String filename){
+    return !filename.contains("'") && filename.equals(URL.encodePathSegment(filename));
+  }
+  
+  /**
+   * Checks whether the argument is a filename which meets the length
+   * requirement imposed by aapt, which is:
+   * - the filename length must be less than kMaxAssetFileName bytes long
+   *   (and can't be empty)
+   * where kMaxAssetFileName is defined to be 100.
+   * (A legal name, therefore, has length <= kMaxAssetFileNames)
+   * @param filename The filename (not path) of uploaded file
+   * @return {@code true} if the length of the argument is legal, {@code false}
+   *         otherwise
+   */
+  public static boolean isValidLengthFilename(String filename){
+    return !(filename.length() > MAX_FILENAME_SIZE || filename.length() < MIN_FILENAME_SIZE);
+  }
 }