diff options
| -rw-r--r-- | src/file_upload.rs | 16 | ||||
| -rw-r--r-- | src/renderer.rs | 16 |
2 files changed, 7 insertions, 25 deletions
diff --git a/src/file_upload.rs b/src/file_upload.rs index 56112f3..e5f6173 100644 --- a/src/file_upload.rs +++ b/src/file_upload.rs @@ -174,21 +174,15 @@ pub async fn upload_file( // Disallow paths outside of restricted directories // TODO: Probably not the most rust-ic style... - if !conf.restrict_upload_dir.is_empty() { - let mut upload_allowed = false; - for restricted_dir in conf.restrict_upload_dir.iter() { - if upload_path.starts_with(restricted_dir) { - upload_allowed = true; - break; - } - } + let upload_allowed = conf.restrict_upload_dir.is_empty() || + conf.restrict_upload_dir.iter().any(|s| upload_path.starts_with(s)); - if !upload_allowed { - return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string())); - } + if !(upload_allowed) { + return Err(ContextualError::InvalidPathError("Not allowed to upload to this path".to_string())); } + // Disallow the target path to go outside of the served directory // The target directory shouldn't be canonicalized when it gets passed to // handle_multipart so that it can check for symlinks if needed diff --git a/src/renderer.rs b/src/renderer.rs index 2b3d1fa..0ee26af 100644 --- a/src/renderer.rs +++ b/src/renderer.rs @@ -40,20 +40,8 @@ pub fn page( let title_path = breadcrumbs_to_path_string(breadcrumbs); - // TODO: Probably not very idiomatic - let mut upload_allowed = false; - - if conf.restrict_upload_dir.is_empty() { - upload_allowed = true; - } else { - for restricted_dir in conf.restrict_upload_dir.iter() { - let full_restricted_path = &format!("/{}", restricted_dir.display()); - if encoded_dir.starts_with(full_restricted_path) { - upload_allowed = true; - break; - } - } - } + let upload_allowed = conf.restrict_upload_dir.is_empty() || conf.restrict_upload_dir.iter().any( + |x| encoded_dir.starts_with(&format!("/{}", x.display())) ); html! { (DOCTYPE) |