Mirrors/zola
2
0
Fork 0
mirror of https://github.com/getzola/zola synced 2024-11-10 14:24:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix LFI in zola serve (#2258)

Browse source 
* use fs canonicalize to prevent path traversal

* fix cargo fmt
This commit is contained in:
Maksym Vatsyk 2023-08-04 22:56:42 +02:00 committed by Vincent Prouillet
parent 2cd133b9fb
commit 208c506ec3
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/cmd/serve.rs
View file

@ -133,6 +133,14 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons
// otherwise `PathBuf` will interpret it as an absolute path
root.push(&decoded[1..]);
// Resolve the root + user supplied path into the absolute path
// this should hopefully remove any path traversals
// if we fail to resolve path, we should return 404
root = match tokio::fs::canonicalize(&root).await {
Ok(d) => d,
Err(_) => return Ok(not_found()),
};
// Ensure we are only looking for things in our public folder
if !root.starts_with(original_root) {
return Ok(not_found());