diff options
| author | Jonas Diemer <jonasdiemer@gmail.com> | 2022-08-17 08:28:11 +0000 |
|---|---|---|
| committer | Jonas Diemer <jonasdiemer@gmail.com> | 2022-09-18 18:25:37 +0000 |
| commit | 5404e4fcb513bd8bf355e730aa37546b16164cad (patch) | |
| tree | 8b0e0d4a0b23cf598d84423cabc1d6bca38345ec | |
| parent | Use argument -u instead of --allowed-upload-dir (diff) | |
| download | miniserve-5404e4fcb513bd8bf355e730aa37546b16164cad.tar.gz miniserve-5404e4fcb513bd8bf355e730aa37546b16164cad.zip | |
sanitize allowed upload paths for cases like ./dir
| -rw-r--r-- | src/config.rs | 3 | ||||
| -rw-r--r-- | src/file_upload.rs | 2 | ||||
| -rw-r--r-- | tests/upload_files.rs | 1 |
3 files changed, 4 insertions, 2 deletions
diff --git a/src/config.rs b/src/config.rs index 4f794d1..1331e7d 100644 --- a/src/config.rs +++ b/src/config.rs @@ -16,6 +16,7 @@ use rustls_pemfile as pemfile; use crate::{ args::{CliArgs, MediaType}, auth::RequiredAuth, + file_upload::sanitize_path }; /// Possible characters for random routes @@ -251,7 +252,7 @@ impl MiniserveConfig { show_qrcode: args.qrcode, mkdir_enabled: args.mkdir_enabled, file_upload: !args.allowed_upload_dir.is_none(), - allowed_upload_dir: args.allowed_upload_dir.unwrap_or(vec![]), + allowed_upload_dir: args.allowed_upload_dir.unwrap_or(vec![]).iter().map(|x| sanitize_path(x, false).unwrap()).collect(), uploadable_media_type, tar_enabled: args.enable_tar, tar_gz_enabled: args.enable_tar_gz, diff --git a/src/file_upload.rs b/src/file_upload.rs index c6e7ac6..4d4f225 100644 --- a/src/file_upload.rs +++ b/src/file_upload.rs @@ -218,7 +218,7 @@ pub async fn upload_file( /// and optionally prevent traversing hidden directories. /// /// See the unit tests tests::test_sanitize_path* for examples -fn sanitize_path(path: &Path, traverse_hidden: bool) -> Option<PathBuf> { +pub fn sanitize_path(path: &Path, traverse_hidden: bool) -> Option<PathBuf> { let mut buf = PathBuf::new(); for comp in path.components() { diff --git a/tests/upload_files.rs b/tests/upload_files.rs index ca9f007..ecb7ddf 100644 --- a/tests/upload_files.rs +++ b/tests/upload_files.rs @@ -118,6 +118,7 @@ fn uploading_files_is_restricted(#[case] server: TestServer) -> Result<(), Error /// This tests that we can upload files to the directory specified by --allow-upload-dir #[rstest] #[case(server(&["-u", "someDir"]), vec!["someDir"])] +#[case(server(&["-u", "./someDir"]), vec!["./someDir"])] #[case(server(&["-u", "someDir/some_sub_dir"]), vec!["someDir/some_sub_dir"])] #[case(server(&["-u", "someDir/some_sub_dir", "-u", "someDir/some_other_dir"]), vec!["someDir/some_sub_dir", "someDir/some_other_dir"])] |