This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[PATCH gemserv v2] Block transversal attacks

Message ID
DKIM signature
Download raw message
Patch: +10 -0
This uses the method described at gemi.dev to block transversal
attacks: it checks to see if the canonical path is within the
boundary of the root directory given in config.
 src/con_handler.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/con_handler.rs b/src/con_handler.rs
index 33cb604..6866a41 100644
--- a/src/con_handler.rs
+++ b/src/con_handler.rs
@@ -13,6 +13,8 @@ use crate::revproxy;
use crate::status::Status;
use crate::util;

use crate::errors;

type Result<T = ()> = std::result::Result<T, Box<dyn std::error::Error + Send + Sync>>;

fn get_mime(path: &Path) -> String {
@@ -260,6 +262,14 @@ pub async fn handle_connection(mut con: conn::Connection, url: url::Url) -> Resu
        return Ok(());

    let root = std::fs::canonicalize(&con.srv.server.dir).unwrap();
    let mut path = std::fs::canonicalize(path).unwrap();
    if !path.starts_with(root) {
        logger::logger(con.peer_addr, Status::BadRequest, url.as_str());
        con.send_status(Status::BadRequest, None).await?;
        return Err(Box::new(errors::GemError("Blocked transversal".into())));

    let mut meta = tokio::fs::metadata(&path).await?;
    let mut perm = meta.permissions();


[gemserv/patches] build success

builds.sr.ht <builds@sr.ht>
Message ID
<20220216162755.12188-1-me@josias.dev> (view parent)
DKIM signature
Download raw message
gemserv/patches: SUCCESS in 4m21s

[Block transversal attacks][0] v2 from [Josias][1]

[0]: https://lists.sr.ht/~int80h/public-inbox/patches/29501
[1]: me@josias.dev

✓ #697678 SUCCESS gemserv/patches/alpine.yml        https://builds.sr.ht/~int80h/job/697678
✓ #697680 SUCCESS gemserv/patches/release-linux.yml https://builds.sr.ht/~int80h/job/697680
✓ #697679 SUCCESS gemserv/patches/docker.yml        https://builds.sr.ht/~int80h/job/697679
Reply to thread Export thread (mbox)