Allow upload link to work for subdirectory of upload folder.

Currently the behavior is such that the directory specified in the
two requests have to match, which makes the argument for the second
request completely useless. If this were to be the desired behavior
then the `parent_dir` parameter should just be ignored from the second
request completely. Alternatively, this commit allows upload to a subdirectory
of the `p` parameter from the first request again.
This matches the old behavior better without allowing uploading to
an arbitrary directory.

If the current behavior is also desired for some use cases,
it should be added as new request or
with a new parameter on the first request.

Fix regression from #286.

Fix seahub#4441

server/upload-file.c

@@ -326,14 +326,27 @@ static gboolean
 is_parent_matched (const char *upload_dir,
                    const char *parent_dir)
 {
+    // parent_dir must be under upload_dir
     gboolean ret = TRUE;
     char *upload_dir_canon = NULL;
     char *parent_dir_canon = NULL;
 
     upload_dir_canon = get_canonical_path (upload_dir);
     parent_dir_canon = get_canonical_path (parent_dir);
-
-    if (strcmp (upload_dir_canon,parent_dir_canon) != 0) {
+    size_t upload_dir_len = strlen (upload_dir_canon);
+    size_t parent_dir_len = strlen (parent_dir_canon);
+
+    // If this were real unix path name, care needs to be taken about `..`
+    // However, I believe `..` is not handled in any special way on the server
+    // so it can be ignored for now.
+    if (parent_dir_len < upload_dir_len ||
+        strncmp (upload_dir_canon, parent_dir_canon, upload_dir_len) != 0) {
+        // Prefix mismatches
+        ret = FALSE;
+    } else if (parent_dir_canon[upload_dir_len] != '/' &&
+               parent_dir_canon[upload_dir_len] != 0) {
+        // `0` is exact match and `'/'` is true subdirectory.
+        // Anything else is forbidden.
         ret = FALSE;
     }