diff options
author | Joey Hess <joeyh@joeyh.name> | 2016-08-28 13:08:06 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2016-08-28 13:08:06 -0400 |
commit | cae083aa1cf6a3d0e009eaa0f6b2cef9311fef61 (patch) | |
tree | adf5fbfecc2c3ae5292a1e1c4f0228d1221088b0 /Storage | |
parent | b35b44e0d47abca77107ad689b620c0721412cb6 (diff) | |
download | keysafe-cae083aa1cf6a3d0e009eaa0f6b2cef9311fef61.tar.gz |
belt and suspenders path injection check
This does not seem to be necessary for the HTTP server, because servant
parses the StorableObjectIdent out of query path, so it can't contain `/`.
But, what if the HTTP server were running on windows? Then, `\` could be
embedded in the StorableObjectIdent or perhaps a drive letter, etc. So,
best to have a second level of defense against path injection.
Diffstat (limited to 'Storage')
-rw-r--r-- | Storage/Local.hs | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/Storage/Local.hs b/Storage/Local.hs index 510b8ef..e8f6010 100644 --- a/Storage/Local.hs +++ b/Storage/Local.hs @@ -120,8 +120,11 @@ shareDir (Section section) = do u <- getUserEntryForID =<< getEffectiveUserID return $ homeDirectory u </> dotdir </> section +-- | The takeFileName ensures that, if the StorableObjectIdent somehow +-- contains a path (eg starts with "../" or "/"), it is not allowed +-- to point off outside the shareDir. shareFile :: StorableObjectIdent -> FilePath -shareFile i = U8.toString (toByteString i) <> ext +shareFile i = takeFileName (U8.toString (toByteString i)) <> ext fromShareFile :: FilePath -> Maybe StorableObjectIdent fromShareFile f |