diff options
| author | Jonas Diemer <jonasdiemer@gmail.com> | 2022-08-17 08:28:46 +0000 |
|---|---|---|
| committer | Jonas Diemer <jonasdiemer@gmail.com> | 2022-09-18 18:26:54 +0000 |
| commit | d905b68ca93c42769c3ebddf472a2916dc75b012 (patch) | |
| tree | b4a40b65cdc57a345afdf8c11f935b4af732fe00 /src | |
| parent | sanitize allowed upload paths for cases like ./dir (diff) | |
| download | miniserve-d905b68ca93c42769c3ebddf472a2916dc75b012.tar.gz miniserve-d905b68ca93c42769c3ebddf472a2916dc75b012.zip | |
cargo fmt
Diffstat (limited to 'src')
| -rw-r--r-- | src/args.rs | 7 | ||||
| -rw-r--r-- | src/config.rs | 9 | ||||
| -rw-r--r-- | src/file_upload.rs | 14 | ||||
| -rw-r--r-- | src/renderer.rs | 9 |
4 files changed, 27 insertions, 12 deletions
diff --git a/src/args.rs b/src/args.rs index 8cd8ffa..6ed1e0d 100644 --- a/src/args.rs +++ b/src/args.rs @@ -116,7 +116,12 @@ pub struct CliArgs { pub mkdir_enabled: bool, /// Specify uploadable media types - #[clap(arg_enum, short = 'm', long = "media-type", requires = "allowed-upload-dir")] + #[clap( + arg_enum, + short = 'm', + long = "media-type", + requires = "allowed-upload-dir" + )] pub media_type: Option<Vec<MediaType>>, /// Directly specify the uploadable media type expression diff --git a/src/config.rs b/src/config.rs index 1331e7d..073a80a 100644 --- a/src/config.rs +++ b/src/config.rs @@ -16,7 +16,7 @@ use rustls_pemfile as pemfile; use crate::{ args::{CliArgs, MediaType}, auth::RequiredAuth, - file_upload::sanitize_path + file_upload::sanitize_path, }; /// Possible characters for random routes @@ -252,7 +252,12 @@ impl MiniserveConfig { show_qrcode: args.qrcode, mkdir_enabled: args.mkdir_enabled, file_upload: !args.allowed_upload_dir.is_none(), - allowed_upload_dir: args.allowed_upload_dir.unwrap_or(vec![]).iter().map(|x| sanitize_path(x, false).unwrap()).collect(), + allowed_upload_dir: args + .allowed_upload_dir + .unwrap_or(vec![]) + .iter() + .map(|x| sanitize_path(x, false).unwrap()) + .collect(), uploadable_media_type, tar_enabled: args.enable_tar, tar_gz_enabled: args.enable_tar_gz, diff --git a/src/file_upload.rs b/src/file_upload.rs index 4d4f225..0232c7e 100644 --- a/src/file_upload.rs +++ b/src/file_upload.rs @@ -171,17 +171,19 @@ pub async fn upload_file( ContextualError::IoError("Failed to resolve path served by miniserve".to_string(), e) })?; - // Disallow paths outside of allowed directories - let upload_allowed = conf.allowed_upload_dir.is_empty() || - conf.allowed_upload_dir.iter().any(|s| upload_path.starts_with(s)); + let upload_allowed = conf.allowed_upload_dir.is_empty() + || conf + .allowed_upload_dir + .iter() + .any(|s| upload_path.starts_with(s)); if !upload_allowed { - return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string())); + return Err(ContextualError::InvalidPathError( + "Not allowed to upload to this path".to_string(), + )); } - - // Disallow the target path to go outside of the served directory // The target directory shouldn't be canonicalized when it gets passed to // handle_multipart so that it can check for symlinks if needed diff --git a/src/renderer.rs b/src/renderer.rs index 107f0a4..b98a595 100644 --- a/src/renderer.rs +++ b/src/renderer.rs @@ -40,9 +40,12 @@ pub fn page( let title_path = breadcrumbs_to_path_string(breadcrumbs); - let upload_allowed = conf.allowed_upload_dir.is_empty() || conf.allowed_upload_dir.iter().any( - |x| encoded_dir.starts_with(&format!("/{}", x.display())) ); - + let upload_allowed = conf.allowed_upload_dir.is_empty() + || conf + .allowed_upload_dir + .iter() + .any(|x| encoded_dir.starts_with(&format!("/{}", x.display()))); + html! { (DOCTYPE) html { |