fix: validate symlink's target (#11)
Laurynas Gadliauskas
GitHub
parent
372b1f00ed
commit
094ee331d6
|
|
@ -65,6 +65,21 @@ func NewFileInfo(opts FileOptions) (*FileInfo, error) {
|
|||
return nil, os.ErrPermission
|
||||
}
|
||||
|
||||
isSymlink := false
|
||||
symlink := ""
|
||||
if lst, ok := opts.Fs.(afero.Lstater); ok {
|
||||
info, _, err := lst.LstatIfPossible(opts.Path)
|
||||
if err == nil {
|
||||
isSymlink = IsSymlink(info.Mode())
|
||||
}
|
||||
}
|
||||
|
||||
if isSymlink {
|
||||
if lsf, ok := opts.Fs.(afero.LinkReader); ok {
|
||||
symlink, _ = lsf.ReadlinkIfPossible(opts.Path)
|
||||
}
|
||||
}
|
||||
|
||||
info, err := opts.Fs.Stat(opts.Path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -77,6 +92,8 @@ func NewFileInfo(opts FileOptions) (*FileInfo, error) {
|
|||
ModTime: info.ModTime(),
|
||||
Mode: info.Mode(),
|
||||
IsDir: info.IsDir(),
|
||||
IsSymlink: isSymlink,
|
||||
Link: symlink,
|
||||
Size: info.Size(),
|
||||
Extension: filepath.Ext(info.Name()),
|
||||
Token: opts.Token,
|
||||
|
|
@ -257,7 +274,7 @@ func (i *FileInfo) readListing(checker rules.Checker, readHeader bool) error {
|
|||
}
|
||||
|
||||
isSymlink := IsSymlink(f.Mode())
|
||||
symLink := ""
|
||||
symlink := ""
|
||||
if isSymlink {
|
||||
// It's a symbolic link. We try to follow it. If it doesn't work,
|
||||
// we stay with the link information instead of the target's.
|
||||
|
|
@ -268,10 +285,7 @@ func (i *FileInfo) readListing(checker rules.Checker, readHeader bool) error {
|
|||
|
||||
// Try to read the link's target
|
||||
if lsf, ok := i.Fs.(afero.LinkReader); ok {
|
||||
link, err := lsf.ReadlinkIfPossible(fPath)
|
||||
if err == nil {
|
||||
symLink = link
|
||||
}
|
||||
symlink, _ = lsf.ReadlinkIfPossible(fPath)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -283,7 +297,7 @@ func (i *FileInfo) readListing(checker rules.Checker, readHeader bool) error {
|
|||
Mode: f.Mode(),
|
||||
IsDir: f.IsDir(),
|
||||
IsSymlink: isSymlink,
|
||||
Link: symLink,
|
||||
Link: symlink,
|
||||
Extension: filepath.Ext(name),
|
||||
Path: fPath,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,6 +37,17 @@ var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d
|
|||
return errToStatus(err), err
|
||||
}
|
||||
|
||||
// check if symlink's target is within base path
|
||||
if file.IsSymlink {
|
||||
parentDir := filepath.Dir(filepath.Clean(file.Path))
|
||||
fullLinkTarget := filepath.Join(d.user.FullPath(parentDir), file.Link)
|
||||
scopedLinkTarget := d.user.FullPath(filepath.Join(parentDir, file.Link))
|
||||
if fullLinkTarget != scopedLinkTarget {
|
||||
err = errors.ErrNotExist
|
||||
return errToStatus(err), err
|
||||
}
|
||||
}
|
||||
|
||||
if r.URL.Query().Get("disk_usage") == "true" {
|
||||
du, inodes, err := fileutils.DiskUsage(file.Fs, file.Path, 100)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in New Issue