From 422ee62c3da9ffb0e32c67e1b574f605f3f2fc33 Mon Sep 17 00:00:00 2001 From: yggverse Date: Sun, 3 Aug 2025 14:10:06 +0300 Subject: [PATCH] add PathBuf resolved validation --- src/preload.rs | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/src/preload.rs b/src/preload.rs index 008435b..a20d53e 100644 --- a/src/preload.rs +++ b/src/preload.rs @@ -3,7 +3,7 @@ use std::{fs, path::PathBuf}; /// Temporary file storage for `librqbit` preload data pub struct Preload { - directory: PathBuf, + root: PathBuf, pub max_filecount: Option, pub max_filesize: Option, } @@ -20,21 +20,17 @@ impl Preload { Ok(Self { max_filecount, max_filesize, - directory, + root: directory.canonicalize()?, }) } pub fn clear_output_folder(&self, info_hash: &str) -> Result<()> { - let mut p = PathBuf::from(&self.directory); - p.push(info_hash); - fs::remove_dir_all(&p)?; - Ok(()) + Ok(fs::remove_dir_all(&self.path(&PathBuf::from(info_hash))?)?) } /// * create new directory if not exists pub fn output_folder(&self, info_hash: &str) -> Result { - let mut p = PathBuf::from(&self.directory); - p.push(info_hash); + let p = self.path(&PathBuf::from(info_hash))?; if !p.exists() { fs::create_dir(&p)? } @@ -42,14 +38,22 @@ impl Preload { } pub fn root(&self) -> PathBuf { - self.directory.clone() + self.root.clone() } - pub fn bytes(&self, path: &PathBuf) -> Result> { - Ok(std::fs::read({ - let mut p = PathBuf::from(&self.directory); - p.push(path); - p - })?) + pub fn bytes(&self, relative: &PathBuf) -> Result> { + Ok(std::fs::read(self.path(relative)?)?) + } + + fn path(&self, relative: &PathBuf) -> Result { + let mut p = PathBuf::from(&self.root); + p.push(relative); + if p.canonicalize()?.starts_with(&self.root) { + bail!( + "Unexpected absolute path resolved for `{}`!", + p.to_string_lossy() + ) + } + Ok(p) } }