github
/
filebrowser
mirror of https://github.com/filebrowser/filebrowser
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: filter out-of-scope symlinks (#10)

pull/3756/head
Laurynas Gadliauskas 2021-06-08 16:39:45 +03:00 committed by GitHub
parent 9e52e0cb7a
commit 372b1f00ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
files/listing.go
View File

@ -109,6 +109,8 @@ func (l byModified) Less(i, j int) bool {
return iModified.Sub(jModified) < 0 return iModified.Sub(jModified) < 0
} }
// FilterItems only includes items that return true when
// ran through the provided function
func (l *Listing) FilterItems(fn func(fi *FileInfo) bool) { func (l *Listing) FilterItems(fn func(fi *FileInfo) bool) {
filtered := []*FileInfo{} filtered := []*FileInfo{}
for _, item := range l.Items { for _, item := range l.Items {

16
http/resource.go
View File

@ -52,8 +52,22 @@ var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d
file.Listing.Sorting = d.user.Sorting file.Listing.Sorting = d.user.Sorting
file.Listing.ApplySort() file.Listing.ApplySort()
file.Listing.FilterItems(func(fi *files.FileInfo) bool { file.Listing.FilterItems(func(fi *files.FileInfo) bool {
// remove files that should be hidden
_, exists := d.server.HiddenFiles[fi.Name] _, exists := d.server.HiddenFiles[fi.Name]
return !exists if exists {
return false
}
// remove symlinks that link outside base path
if fi.IsSymlink {
fullLinkTarget := filepath.Join(d.user.FullPath(file.Path), fi.Link)
scopedLinkTarget := d.user.FullPath(filepath.Join(file.Path, fi.Link))
if fullLinkTarget != scopedLinkTarget {
return false
}
}
return true
}) })
return renderJSON(w, r, file) return renderJSON(w, r, file)
} }