Skip to content

Commit

Permalink
rework path expansion and subpath check (#16)
Browse files Browse the repository at this point in the history
  • Loading branch information
albertodonato authored Jan 11, 2024
1 parent dedd9c6 commit 30af02b
Showing 1 changed file with 18 additions and 20 deletions.
38 changes: 18 additions & 20 deletions server/filesystem.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,34 +66,32 @@ func (fs FileSystem) open(name string) (*os.File, error) {
}

func (fs FileSystem) newFile(name string) (*File, error) {
absPath, err := fs.absPath(name)
path, err := fs.resolvePath(filepath.Join(fs.Root, name))
if err != nil {
return nil, err
}
if !fs.AllowOutsideSymlinks {
if target, err := filepath.EvalSymlinks(absPath); target != "" {
if err != nil {
return nil, err
}
path, err := filepath.Abs(target)
if err != nil {
return nil, err
}
root, err := filepath.Abs(fs.Root)
if err != nil {
return nil, err
}
if !strings.HasPrefix(path, root) {
return nil, os.ErrPermission
}
root, err := fs.resolvePath(fs.Root)
if err != nil {
return nil, err
}
if !strings.HasPrefix(path, root) {
return nil, os.ErrPermission
}
}
return NewFile(absPath, fs.HideDotFiles)
return NewFile(path, fs.HideDotFiles)
}

// Return the absolute path of a name under the filesystem.
func (fs FileSystem) absPath(name string) (string, error) {
return filepath.Abs(filepath.Join(fs.Root, name))
func (fs FileSystem) resolvePath(path string) (string, error) {
path, err := filepath.EvalSymlinks(path)
if err != nil {
return "", err
}
path, err = filepath.Abs(path)
if err != nil {
return "", err
}
return path, nil
}

// File is an entry of a FileSystem entry.
Expand Down

0 comments on commit 30af02b

Please sign in to comment.