GUACAMOLE-104: Sanitize filenames before upload or download.

guacamole/src/main/webapp/app/rest/services/tunnelService.js

@@ -135,6 +135,20 @@ angular.module('rest').factory('tunnelService', ['$injector',
 
     };
 
+    /**
+     * Sanitize a filename, replacing all URL path seperators with safe
+     * characters.
+     *
+     * @param {String} filename
+     *     An unsanitized filename that may need cleanup.
+     *
+     * @returns {String}
+     *     The sanitized filename.
+     */
+    var sanitizeFilename = function sanitizeFilename(filename) {
+        return filename.replace(/\/+/g, '_');
+    };
+
     /**
      * Makes a request to the REST API to retrieve the contents of a stream
      * which has been created within the active Guacamole connection associated
@@ -169,7 +183,7 @@ angular.module('rest').factory('tunnelService', ['$injector',
                 + $window.location.pathname
                 + 'api/session/tunnels/' + encodeURIComponent(tunnel)
                 + '/streams/' + encodeURIComponent(stream.index)
-                + '/' + encodeURIComponent(filename)
+                + '/' + encodeURIComponent(sanitizeFilename(filename))
                 + '?token=' + encodeURIComponent(authenticationService.getCurrentToken());
 
         // Create temporary hidden iframe to facilitate download
@@ -232,7 +246,7 @@ angular.module('rest').factory('tunnelService', ['$injector',
                 + $window.location.pathname
                 + 'api/session/tunnels/' + encodeURIComponent(tunnel)
                 + '/streams/' + encodeURIComponent(stream.index)
-                + '/' + encodeURIComponent(file.name)
+                + '/' + encodeURIComponent(sanitizeFilename(file.name))
                 + '?token=' + encodeURIComponent(authenticationService.getCurrentToken());
 
         var xhr = new XMLHttpRequest();