github
/
filebrowser
mirror of https://github.com/filebrowser/filebrowser
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: check absolute symlinks

pull/3756/head
Laurynas Gadliauskas 2021-06-09 12:44:51 +03:00
parent 267c9a42e0
commit 53df153a70
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
http/resource.go
View File

@ -65,7 +65,12 @@ var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d
// remove symlinks that link outside base path
if fi.IsSymlink {
fullLinkTarget := filepath.Join(d.user.FullPath(file.Path), fi.Link)
var fullLinkTarget string
if filepath.IsAbs(fi.Link) {
fullLinkTarget = fi.Link
} else {
fullLinkTarget = filepath.Join(d.user.FullPath(file.Path), fi.Link)
}
scopedLinkTarget := d.user.FullPath(filepath.Join(file.Path, fi.Link))
if fullLinkTarget != scopedLinkTarget {
return false
@ -337,7 +342,12 @@ func checkOutOfScopeSymlink(d *data, target string) error {
symlink, err := lsf.ReadlinkIfPossible(evalPath)
if err == nil {
parentDir := filepath.Dir(evalPath)
fullLinkTarget := filepath.Join(d.user.FullPath(parentDir), symlink)
var fullLinkTarget string
if filepath.IsAbs(symlink) {
fullLinkTarget = symlink
} else {
fullLinkTarget = filepath.Join(d.user.FullPath(parentDir), symlink)
}
scopedLinkTarget := d.user.FullPath(filepath.Join(parentDir, symlink))
if fullLinkTarget != scopedLinkTarget {
return errors.ErrNotExist