1
0
mirror of https://github.com/osmarks/mycorrhiza.git synced 2024-12-12 13:30:26 +00:00

Make sure the uploaded hypha filepath is nested in wiki dir

I couldn't make it work differently though
This commit is contained in:
Timur Ismagilov 2021-06-15 01:27:25 +05:00
parent cbfa89b720
commit b4e0ff2e34

View File

@ -9,6 +9,7 @@ import (
"mime/multipart"
"os"
"path/filepath"
"strings"
"github.com/bouncepaw/mycorrhiza/history"
"github.com/bouncepaw/mycorrhiza/hyphae"
@ -31,7 +32,6 @@ func UploadText(h *hyphae.Hypha, data []byte, message string, u *user.User) (hop
hop.WithMsg(fmt.Sprintf("%s %s: %s", action, h.Name, message))
}
if err, errtitle := CanEdit(u, h); err != nil {
return hop.WithErrAbort(err), errtitle
}
@ -64,9 +64,16 @@ func UploadBinary(h *hyphae.Hypha, mime string, file multipart.File, u *user.Use
// uploadHelp is a helper function for UploadText and UploadBinary
func uploadHelp(h *hyphae.Hypha, hop *history.HistoryOp, ext string, data []byte, u *user.User) (*history.HistoryOp, string) {
var (
fullPath = filepath.Join(cfg.WikiDir, h.Name+ext)
fullPath, err = filepath.EvalSymlinks(filepath.Join(cfg.WikiDir, h.Name+ext))
originalFullPath = &h.TextPath
)
if err != nil {
return hop.WithErrAbort(err), err.Error()
}
if !strings.HasPrefix(fullPath, cfg.WikiDir) { // If the path somehow got outside the wiki dir
err = errors.New("bad path")
return hop.WithErrAbort(err), err.Error()
}
if hop.Type == history.TypeEditBinary {
originalFullPath = &h.BinaryPath
}