Check if file or dir is .. (#711)

* Check if file or dir is .. * Diff and check name is .. * Go diff and check name is .. * Check if ignore new name or name --------- Co-authored-by: 杨赫然 <heran.yang@seafile.com>
2025-09-12 21:35:30 +00:00 · 2024-10-31 17:13:23 +08:00
parent 665d0083bd
commit d727249a08
4 changed files with 111 additions and 0 deletions
--- a/server/http-server.c
+++ b/server/http-server.c
@@ -1192,6 +1192,57 @@ check_blocks (SeafRepo *repo, SeafCommit *base, SeafCommit *remote, char **ret_b
    return -1;
 }

+gboolean
+should_ignore (const char *filename)
+{
+    char **components = g_strsplit (filename, "/", -1);
+    int n_comps = g_strv_length (components);
+    int j = 0;
+    char *file_name;
+
+    for (; j < n_comps; ++j) {
+        file_name = components[j];
+        if (g_strcmp0(file_name, "..") == 0) {
+            g_strfreev (components);
+            return TRUE;
+        }
+    }
+    g_strfreev (components);
+
+    return FALSE;
+}
+
+static gboolean
+include_invalid_path (SeafCommit *base_commit, SeafCommit *new_commit) {
+    GList *diff_entries = NULL;
+    gboolean ret = FALSE;
+
+    int rc = diff_commits (base_commit, new_commit, &diff_entries, TRUE);
+    if (rc < 0) {
+        seaf_warning ("Failed to check invalid path.\n");
+        return FALSE;
+    }
+
+    GList *ptr;
+    DiffEntry *diff_entry;
+    for (ptr = diff_entries; ptr; ptr = ptr->next) {
+        diff_entry = ptr->data;
+        if (diff_entry->new_name) {
+            if (should_ignore(diff_entry->new_name)) {
+                ret = TRUE;
+                break;
+            }
+        } else {
+            if (should_ignore(diff_entry->name)) {
+                ret = TRUE;
+                break;
+            }
+        }
+    }
+
+    return ret;
+}
+
 static void
 put_update_branch_cb (evhtp_request_t *req, void *arg)
 {
@@ -1249,6 +1300,11 @@ put_update_branch_cb (evhtp_request_t *req, void *arg)
        goto out;
    }

+    if (include_invalid_path (base, new_commit)) {
+        evhtp_send_reply (req, EVHTP_RES_BADREQ);
+        goto out;
+    }
+
    if (seaf_quota_manager_check_quota (seaf->quota_mgr, repo_id) < 0) {
        evhtp_send_reply (req, SEAF_HTTP_RES_NOQUOTA);
        goto out;