diff options
| author | Jonas Diemer <jonasdiemer@gmail.com> | 2022-08-02 13:02:09 +0000 |
|---|---|---|
| committer | Jonas Diemer <jonasdiemer@gmail.com> | 2022-09-18 18:22:43 +0000 |
| commit | 2662c59fcffe1b62e019b08d1e22c1cd5c741066 (patch) | |
| tree | 1d4e2d251c61c8ebd6402bb3c3c592aef95218e7 /src/file_upload.rs | |
| parent | Add CHANGELOG entry for QR code rewrite (diff) | |
| download | miniserve-2662c59fcffe1b62e019b08d1e22c1cd5c741066.tar.gz miniserve-2662c59fcffe1b62e019b08d1e22c1cd5c741066.zip | |
Added option restrict-upload-dir
Diffstat (limited to '')
| -rw-r--r-- | src/file_upload.rs | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/file_upload.rs b/src/file_upload.rs index 6643c68..747d0de 100644 --- a/src/file_upload.rs +++ b/src/file_upload.rs @@ -171,6 +171,19 @@ pub async fn upload_file( ContextualError::IoError("Failed to resolve path served by miniserve".to_string(), e) })?; + + // Disallow paths outside of restricted directories + // TODO: Probably not the most rust-ic style... + if !conf.restrict_upload_dir.is_empty() { + let upl_path = upload_path.clone().into_os_string().into_string().unwrap(); + + if !(conf.restrict_upload_dir.contains(&upl_path)){ + // not good + return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string())); + } + } + + // Disallow the target path to go outside of the served directory // The target directory shouldn't be canonicalized when it gets passed to // handle_multipart so that it can check for symlinks if needed |