tookeyman/vinegar
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixing up some directory traversal attacks round 2

Browse Source
This commit is contained in:
dtookey 2023-07-31 11:04:47 -04:00
parent 7a42f90b3f
commit fe84a6d7fd
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
servlet/staticRoute.go
View File

@ -67,8 +67,9 @@ type (
// A FileRoute instance configured for serving text files, added to
// the provided VinegarServlet.
var NewTextRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute {
fileRoot := filepath.Clean(pathlike)
defaultPrune := strings.Replace(urlPattern, ".*", "", -1)
route := FileRoute{srv: servlet, fileRoot: pathlike, UseCache: useCache}
route := FileRoute{srv: servlet, fileRoot: fileRoot, UseCache: useCache}
textRouteHandler := createCompressibleFileServletFunction(&route, defaultPrune, pathlike)
rootRoute := NewServletRoute(urlPattern, textRouteHandler) //i *still* kinda don't like this pattern
route.VinegarRoute = rootRoute
@ -79,8 +80,9 @@ var NewTextRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern str
}
var NewImageRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute {
fileRoot := filepath.Clean(pathlike)
defaultPrune := strings.Replace(urlPattern, ".*", "", -1)
route := FileRoute{srv: servlet, fileRoot: pathlike, UseCache: useCache}
route := FileRoute{srv: servlet, fileRoot: fileRoot, UseCache: useCache}
rootRoute := NewServletRoute(urlPattern, createUncompressedFileServletFunction(&route, defaultPrune, pathlike))
route.VinegarRoute = rootRoute //i *kinda* don't like this pattern
@ -172,7 +174,9 @@ func createCompressibleFileServletFunction(route *FileRoute, basePattern string,
cachedContent, exists := route.VinegarRoute.Cache.Get(stub)
//i don't like this logic below. we need to streamline this a lot better. it's a twisty jungle right now
resourcePath := path.Join(pathlike, filepath.Clean(stub))
filePath := filepath.Clean(stub)
pathRoot := filepath.Clean(pathlike)
resourcePath := path.Join(pathRoot, filePath)
if !exists {
content, fileExists := util.GetDiskContent(resourcePath)
@ -209,8 +213,11 @@ func createCompressibleFileServletFunction(route *FileRoute, basePattern string,
func createUncompressedFileServletFunction(route *FileRoute, basePattern string, pathlike string) VinegarHandlerFunction {
var fun VinegarHandlerFunction = func(w http.ResponseWriter, req *http.Request) {
stub := filepath.Clean(strings.Replace(req.URL.Path, basePattern, "", 1))
resourcePath := path.Join(pathlike, stub)
stub := strings.Replace(req.URL.Path, basePattern, "", 1)
rootPath := filepath.Clean(pathlike)
filePath := filepath.Clean(stub)
resourcePath := path.Join(rootPath, filePath)
entry, exists := route.VinegarRoute.Cache.Get(stub)
if !exists {
route.VinegarRoute.Cache.Put(stub, resourcePath)