all repos — felt @ 9e754b0733ce45024ac2fe0846ca899ca8a6595d

virtual tabletop for dungeons and dragons (and similar) using Go, MongoDB, and websockets

anti path traversal
Iris Lightshard nilix@nilfm.cc
PGP Signature 
-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQT/foVVmI9pK13hPWFohAcXSWbK8wUCZjWNrwAKCRBohAcXSWbK
83Y7AP0XUd8nwq8kkoVphYGzxASm/dNDe/ZdqHDtsiPc269FrQEA0Nt63/TBQhI7
37bAGRbFihG9+9CmqQd6EtiFQd7Qxw8=
=1+67
-----END PGP SIGNATURE-----
commit

9e754b0733ce45024ac2fe0846ca899ca8a6595d

parent

140e775d66d6144444fd3ccdbb0862b2da546c07

2 files changed, 14 insertions(+), 2 deletions(-)

jump to
M admin/admin.goadmin/admin.go 
@@ -17,6 +17,7 @@ "net/http"
 	"os"
 	"path/filepath"
 	"regexp"
+	"strings"
 )
 
 func apiGetTableList(next http.Handler, udb auth.UserStore) http.Handler {

@@ -201,16 +202,23 @@ err = os.MkdirAll(filepath.Join(uploads, tableKey.Name, uploadType), 0755)
 		// check for filename; call create to overwrite regardless
 		// get file data from multipart form
 		header := f.File["file"][0]
+		if strings.Contains(header.Filename, "/") {
+		  w.WriteHeader(422)
+		  next.ServeHTTP(w, req)
+		  return
+		}
 		file, err := header.Open()
 		if err != nil {
 			fmt.Println(err.Error())
 			w.WriteHeader(500)
 			next.ServeHTTP(w, req)
+			return
 		}
 		fileData, err := ioutil.ReadAll(file)
 		if err != nil {
 			w.WriteHeader(500)
 			next.ServeHTTP(w, req)
+			return
 		}
 		// write to file
 		destPath := filepath.Join(uploads, tableKey.Name, uploadType, header.Filename)

@@ -282,7 +290,6 @@ }
 		}
 		w.WriteHeader(422)
 		next.ServeHTTP(w, req)
-		return
 	}
 
 	return http.HandlerFunc(handlerFunc)

@@ -316,6 +323,11 @@ if ok {
 				if dbAdapter.CheckTable(tableKey) {
 					// if the file exists, delete it and return 201
 					filename := urlParams["file"]
+					if strings.Contains(filename, "/") {
+					  w.WriteHeader(422)
+					  next.ServeHTTP(w, req)
+					  return
+					}
 					fullPath := filepath.Join(uploads, tableName, uploadType, filename)
 					s, err := os.Stat(fullPath)
 					if err == nil && !s.IsDir() {
M static/index.htmlstatic/index.html 
@@ -146,7 +146,7 @@ <button onclick="setTheme()">Apply</button><button onclick="resetTheme(defaultTheme)">Reset</button>
       </form>
     </details>
     <div id="lag" style="display:none;">lag...</div>
-    <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.6</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div>
+    <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.7</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div>
 </nav>
 </body>
     <script>L_DISABLE_3D = window.location.hash.toLowerCase() === "#no3d";</script>