tookeyman/vinegar
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixing up some directory traversal attacks round 2

Browse Source
This commit is contained in:
dtookey 2023-07-31 11:04:47 -04:00
parent 7a42f90b3f
commit fe84a6d7fd
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
servlet/staticRoute.go
View File

@ -67,8 +67,9 @@ type (
// A FileRoute instance configured for serving text files, added to // A FileRoute instance configured for serving text files, added to
// the provided VinegarServlet. // the provided VinegarServlet.
var NewTextRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute { var NewTextRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute {
fileRoot := filepath.Clean(pathlike)
defaultPrune := strings.Replace(urlPattern, ".*", "", -1) defaultPrune := strings.Replace(urlPattern, ".*", "", -1)
route := FileRoute{srv: servlet, fileRoot: pathlike, UseCache: useCache} route := FileRoute{srv: servlet, fileRoot: fileRoot, UseCache: useCache}
textRouteHandler := createCompressibleFileServletFunction(&route, defaultPrune, pathlike) textRouteHandler := createCompressibleFileServletFunction(&route, defaultPrune, pathlike)
rootRoute := NewServletRoute(urlPattern, textRouteHandler) //i *still* kinda don't like this pattern rootRoute := NewServletRoute(urlPattern, textRouteHandler) //i *still* kinda don't like this pattern
route.VinegarRoute = rootRoute route.VinegarRoute = rootRoute
@ -79,8 +80,9 @@ var NewTextRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern str
} }
var NewImageRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute { var NewImageRoute RouteConstructor = func(servlet *VinegarServlet, urlPattern string, pathlike string, useCache bool) *FileRoute {
fileRoot := filepath.Clean(pathlike)
defaultPrune := strings.Replace(urlPattern, ".*", "", -1) defaultPrune := strings.Replace(urlPattern, ".*", "", -1)
route := FileRoute{srv: servlet, fileRoot: pathlike, UseCache: useCache} route := FileRoute{srv: servlet, fileRoot: fileRoot, UseCache: useCache}
rootRoute := NewServletRoute(urlPattern, createUncompressedFileServletFunction(&route, defaultPrune, pathlike)) rootRoute := NewServletRoute(urlPattern, createUncompressedFileServletFunction(&route, defaultPrune, pathlike))
route.VinegarRoute = rootRoute //i *kinda* don't like this pattern route.VinegarRoute = rootRoute //i *kinda* don't like this pattern
@ -172,7 +174,9 @@ func createCompressibleFileServletFunction(route *FileRoute, basePattern string,
cachedContent, exists := route.VinegarRoute.Cache.Get(stub) cachedContent, exists := route.VinegarRoute.Cache.Get(stub)
//i don't like this logic below. we need to streamline this a lot better. it's a twisty jungle right now //i don't like this logic below. we need to streamline this a lot better. it's a twisty jungle right now
resourcePath := path.Join(pathlike, filepath.Clean(stub)) filePath := filepath.Clean(stub)
pathRoot := filepath.Clean(pathlike)
resourcePath := path.Join(pathRoot, filePath)
if !exists { if !exists {
content, fileExists := util.GetDiskContent(resourcePath) content, fileExists := util.GetDiskContent(resourcePath)
@ -209,8 +213,11 @@ func createCompressibleFileServletFunction(route *FileRoute, basePattern string,
func createUncompressedFileServletFunction(route *FileRoute, basePattern string, pathlike string) VinegarHandlerFunction { func createUncompressedFileServletFunction(route *FileRoute, basePattern string, pathlike string) VinegarHandlerFunction {
var fun VinegarHandlerFunction = func(w http.ResponseWriter, req *http.Request) { var fun VinegarHandlerFunction = func(w http.ResponseWriter, req *http.Request) {
stub := filepath.Clean(strings.Replace(req.URL.Path, basePattern, "", 1)) stub := strings.Replace(req.URL.Path, basePattern, "", 1)
resourcePath := path.Join(pathlike, stub)
rootPath := filepath.Clean(pathlike)
filePath := filepath.Clean(stub)
resourcePath := path.Join(rootPath, filePath)
entry, exists := route.VinegarRoute.Cache.Get(stub) entry, exists := route.VinegarRoute.Cache.Get(stub)
if !exists { if !exists {
route.VinegarRoute.Cache.Put(stub, resourcePath) route.VinegarRoute.Cache.Put(stub, resourcePath)