From cae083aa1cf6a3d0e009eaa0f6b2cef9311fef61 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Sun, 28 Aug 2016 13:08:06 -0400
Subject: belt and suspenders path injection check

This does not seem to be necessary for the HTTP server, because servant
parses the StorableObjectIdent out of query path, so it can't contain `/`.

But, what if the HTTP server were running on windows? Then, `\` could be
embedded in the StorableObjectIdent or perhaps a drive letter, etc. So,
best to have a second level of defense against path injection.
---
 Storage/Local.hs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'Storage')

diff --git a/Storage/Local.hs b/Storage/Local.hs
index 510b8ef..e8f6010 100644
--- a/Storage/Local.hs
+++ b/Storage/Local.hs
@@ -120,8 +120,11 @@ shareDir (Section section) = do
 	u <- getUserEntryForID =<< getEffectiveUserID
 	return $ homeDirectory u </> dotdir </> section
 
+-- | The takeFileName ensures that, if the StorableObjectIdent somehow
+-- contains a path (eg starts with "../" or "/"), it is not allowed
+-- to point off outside the shareDir.
 shareFile :: StorableObjectIdent -> FilePath
-shareFile i = U8.toString (toByteString i) <> ext
+shareFile i = takeFileName (U8.toString (toByteString i)) <> ext
 
 fromShareFile :: FilePath -> Maybe StorableObjectIdent
 fromShareFile f
-- 
cgit v1.2.3