~garritfra/public-inbox

taurus: Fix arbitrary read from file system v1 APPLIED

Alexey Yerin: 1
 Fix arbitrary read from file system

 1 files changed, 9 insertions(+), 1 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~garritfra/public-inbox/patches/14838/mbox | git am -3
Learn more about email & git
View this thread in the archives

[PATCH taurus] Fix arbitrary read from file system Export this patch

If you pass path like `example.com//etc/passwd`, server will respond
with contents of `/etc/passwd` file

Signed-off-by: Alexey Yerin <yerinalexey98fd@gmail.com>
---
 src/gemini.rs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/gemini.rs b/src/gemini.rs
index 1dd3c85..5f9cb3b 100644
--- a/src/gemini.rs
+++ b/src/gemini.rs
@@ -14,13 +14,21 @@ impl GeminiRequest {
        Ok(gemini_request)
    }

    pub fn file_path(&self) -> Option<&str> {
    fn unsafe_file_path(&self) -> Option<&str> {
        self.path
            .path()
            .chars()
            .next()
            .map(|c| &self.path.path()[c.len_utf8()..])
    }

    pub fn file_path(&self) -> Option<&str> {
        match self.unsafe_file_path() {
            Some(path) if path.contains("..") || path.starts_with("/") => None,
            Some(path) => Some(path),
            None => None,
        }
    }
}

fn parse_path(req: &str) -> Option<&str> {
-- 
2.29.2