YGGverse/flarumdown
1
0
Fork 0
mirror of https://github.com/YGGverse/flarumdown.git synced 2026-03-31 16:55:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

apply traversal filter to path_source only, warn instead of panic

Browse source
This commit is contained in:
yggverse 2026-03-19 20:55:57 +02:00
parent 7b3d5e010b
commit 42ff89d741
1 changed files with 22 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

38
src/main.rs
View file

@ -193,30 +193,34 @@ fn main() -> Result<()> {
let path_source = { let path_source = {
let mut p = PathBuf::from(&config.upload); let mut p = PathBuf::from(&config.upload);
p.push(upload); p.push(upload);
p.canonicalize()? match p.canonicalize() {
Ok(canonical) => {
if canonical.starts_with(&config.upload) {
canonical
} else {
warn!(
"Possible traversal request: `{}` (post #{}, user #{})",
canonical.to_string_lossy(),
post.id,
post.user_id
);
continue;
}
}
Err(e) => {
error!("{e}: `{}` (post #{})", p.to_string_lossy(), post.id);
continue;
}
}
}; };
let path_target = { let path_target = {
let mut p = PathBuf::from(&config.target); let mut p = PathBuf::from(&config.target);
p.push(upload); p.push(upload);
p.canonicalize()? p
}; };
// prevent traversal request
assert!(path_source.starts_with(&config.upload));
assert!(path_target.starts_with(&config.target));
let path_parent = path_target.parent().unwrap();
create_dir_all(path_parent)?;
if !path_target.exists() { if !path_target.exists() {
if path_source.exists() { create_dir_all(path_target.parent().unwrap())?;
copy(path_source, path_target)?; copy(path_source, path_target)?;
} else {
warn!(
"Source file does not exist: `{}`",
path_source.to_string_lossy()
)
}
} }
} }
content.push("---\n".into()) content.push("---\n".into())