haiwen/seafile-server
1
0
Fork 0
mirror of https://github.com/haiwen/seafile-server.git synced 2025-08-30 04:12:51 +00:00
Code Issues Releases Wiki Activity

Escape filePath before calling check file access (#703)

Browse Source 
Co-authored-by: 杨赫然 <heran.yang@seafile.com>
This commit is contained in:
feiniks 2024-09-20 11:26:41 +08:00 committed by GitHub
parent 6649fada8c
commit 4adceee73d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
fileserver/fileop.go
View File

@ -241,12 +241,9 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
msg := "No file path\n" msg := "No file path\n"
return &appError{nil, msg, http.StatusBadRequest} return &appError{nil, msg, http.StatusBadRequest}
} }
decPath, err := url.PathUnescape(filePath) // filePath will be unquote by mux, we need to escape filePath before calling check file access.
if err != nil { escPath := url.PathEscape(filePath)
msg := fmt.Sprintf("File path %s can't be decoded\n", filePath) rpath := getCanonPath(filePath)
return &appError{nil, msg, http.StatusBadRequest}
}
rpath := getCanonPath(decPath)
fileName := filepath.Base(rpath) fileName := filepath.Base(rpath)
op := r.URL.Query().Get("op") op := r.URL.Query().Get("op")
@ -263,7 +260,7 @@ func accessV2CB(rsp http.ResponseWriter, r *http.Request) *appError {
return &appError{nil, msg, http.StatusBadRequest} return &appError{nil, msg, http.StatusBadRequest}
} }
user, appErr := checkFileAccess(repoID, token, cookie, filePath, "download") user, appErr := checkFileAccess(repoID, token, cookie, escPath, "download")
if appErr != nil { if appErr != nil {
return appErr return appErr
} }