Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP6:Update
zola
0001-fix-life-in-zola-serve.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-fix-life-in-zola-serve.patch of Package zola
From 8d514e8bebeaa73393450fc386c01aec35bfe8a4 Mon Sep 17 00:00:00 2001 From: adeadfed <maksym.vatsyk17@gmail.com> Date: Mon, 24 Jul 2023 18:41:23 +0200 Subject: [PATCH 1/2] use fs canonicalize to prevent path traversal --- src/cmd/serve.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/cmd/serve.rs b/src/cmd/serve.rs index 52b1d585b..e102e90d0 100644 --- a/src/cmd/serve.rs +++ b/src/cmd/serve.rs @@ -116,6 +116,14 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons // otherwise `PathBuf` will interpret it as an absolute path root.push(&decoded[1..]); + // Resolve the root + user supplied path into the absolute path + // this should hopefully remove any path traversals + // if we fail to resolve path, we should return 404 + root = match tokio::fs::canonicalize(&root).await { + Ok(d) => d, + Err(_) => return Ok(not_found()) + }; + // Ensure we are only looking for things in our public folder if !root.starts_with(original_root) { return Ok(not_found()); From 219fe9bed1d2aae5c6b57b2017cce8956ce62cf7 Mon Sep 17 00:00:00 2001 From: Maksym Vatsyk <maksym.vatsyk17@gmail.com> Date: Mon, 24 Jul 2023 23:38:47 +0200 Subject: [PATCH 2/2] fix cargo fmt --- src/cmd/serve.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cmd/serve.rs b/src/cmd/serve.rs index e102e90d0..a6e906cb0 100644 --- a/src/cmd/serve.rs +++ b/src/cmd/serve.rs @@ -121,9 +121,9 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons // if we fail to resolve path, we should return 404 root = match tokio::fs::canonicalize(&root).await { Ok(d) => d, - Err(_) => return Ok(not_found()) + Err(_) => return Ok(not_found()), }; - + // Ensure we are only looking for things in our public folder if !root.starts_with(original_root) { return Ok(not_found());
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor