anti path traversal
Iris Lightshard nilix@nilfm.cc
PGP Signature
-----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQT/foVVmI9pK13hPWFohAcXSWbK8wUCZjWNrwAKCRBohAcXSWbK 83Y7AP0XUd8nwq8kkoVphYGzxASm/dNDe/ZdqHDtsiPc269FrQEA0Nt63/TBQhI7 37bAGRbFihG9+9CmqQd6EtiFQd7Qxw8= =1+67 -----END PGP SIGNATURE-----
2 files changed,
14 insertions(+),
2 deletions(-)
M
admin/admin.go
→
admin/admin.go
@@ -17,6 +17,7 @@ "net/http"
"os" "path/filepath" "regexp" + "strings" ) func apiGetTableList(next http.Handler, udb auth.UserStore) http.Handler {@@ -201,16 +202,23 @@ err = os.MkdirAll(filepath.Join(uploads, tableKey.Name, uploadType), 0755)
// check for filename; call create to overwrite regardless // get file data from multipart form header := f.File["file"][0] + if strings.Contains(header.Filename, "/") { + w.WriteHeader(422) + next.ServeHTTP(w, req) + return + } file, err := header.Open() if err != nil { fmt.Println(err.Error()) w.WriteHeader(500) next.ServeHTTP(w, req) + return } fileData, err := ioutil.ReadAll(file) if err != nil { w.WriteHeader(500) next.ServeHTTP(w, req) + return } // write to file destPath := filepath.Join(uploads, tableKey.Name, uploadType, header.Filename)@@ -282,7 +290,6 @@ }
} w.WriteHeader(422) next.ServeHTTP(w, req) - return } return http.HandlerFunc(handlerFunc)@@ -316,6 +323,11 @@ if ok {
if dbAdapter.CheckTable(tableKey) { // if the file exists, delete it and return 201 filename := urlParams["file"] + if strings.Contains(filename, "/") { + w.WriteHeader(422) + next.ServeHTTP(w, req) + return + } fullPath := filepath.Join(uploads, tableName, uploadType, filename) s, err := os.Stat(fullPath) if err == nil && !s.IsDir() {
M
static/index.html
→
static/index.html
@@ -146,7 +146,7 @@ <button onclick="setTheme()">Apply</button><button onclick="resetTheme(defaultTheme)">Reset</button>
</form> </details> <div id="lag" style="display:none;">lag...</div> - <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.6</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div> + <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.7</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div> </nav> </body> <script>L_DISABLE_3D = window.location.hash.toLowerCase() === "#no3d";</script>