all repos — felt @ 9e754b0733ce45024ac2fe0846ca899ca8a6595d

virtual tabletop for dungeons and dragons (and similar) using Go, MongoDB, and websockets

anti path traversal
Iris Lightshard nilix@nilfm.cc
PGP Signature
-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQT/foVVmI9pK13hPWFohAcXSWbK8wUCZjWNrwAKCRBohAcXSWbK
83Y7AP0XUd8nwq8kkoVphYGzxASm/dNDe/ZdqHDtsiPc269FrQEA0Nt63/TBQhI7
37bAGRbFihG9+9CmqQd6EtiFQd7Qxw8=
=1+67
-----END PGP SIGNATURE-----
commit

9e754b0733ce45024ac2fe0846ca899ca8a6595d

parent

140e775d66d6144444fd3ccdbb0862b2da546c07

2 files changed, 14 insertions(+), 2 deletions(-)

jump to
M admin/admin.goadmin/admin.go

@@ -17,6 +17,7 @@ "net/http"

"os" "path/filepath" "regexp" + "strings" ) func apiGetTableList(next http.Handler, udb auth.UserStore) http.Handler {

@@ -201,16 +202,23 @@ err = os.MkdirAll(filepath.Join(uploads, tableKey.Name, uploadType), 0755)

// check for filename; call create to overwrite regardless // get file data from multipart form header := f.File["file"][0] + if strings.Contains(header.Filename, "/") { + w.WriteHeader(422) + next.ServeHTTP(w, req) + return + } file, err := header.Open() if err != nil { fmt.Println(err.Error()) w.WriteHeader(500) next.ServeHTTP(w, req) + return } fileData, err := ioutil.ReadAll(file) if err != nil { w.WriteHeader(500) next.ServeHTTP(w, req) + return } // write to file destPath := filepath.Join(uploads, tableKey.Name, uploadType, header.Filename)

@@ -282,7 +290,6 @@ }

} w.WriteHeader(422) next.ServeHTTP(w, req) - return } return http.HandlerFunc(handlerFunc)

@@ -316,6 +323,11 @@ if ok {

if dbAdapter.CheckTable(tableKey) { // if the file exists, delete it and return 201 filename := urlParams["file"] + if strings.Contains(filename, "/") { + w.WriteHeader(422) + next.ServeHTTP(w, req) + return + } fullPath := filepath.Join(uploads, tableName, uploadType, filename) s, err := os.Stat(fullPath) if err == nil && !s.IsDir() {
M static/index.htmlstatic/index.html

@@ -146,7 +146,7 @@ <button onclick="setTheme()">Apply</button><button onclick="resetTheme(defaultTheme)">Reset</button>

</form> </details> <div id="lag" style="display:none;">lag...</div> - <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.6</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div> + <div class="ui_win" id="felt_info"><a href="https://hacklab.nilfm.cc/felt">felt v0.2.7</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LICENSE">license</a>) | built with <a href="https://leafletjs.com">leaflet</a> (<a href="https://hacklab.nilfm.cc/felt/raw/main/LEAFLET_LICENSE">license</a>) </div> </nav> </body> <script>L_DISABLE_3D = window.location.hash.toLowerCase() === "#no3d";</script>