forked from gitea/gitea
Clean Path in Options (#23006)
At the Moment it is possible to read files in another Directory as supposed using the Options functions. e.g. `options.Gitignore("../label/Default) `. This was discovered while working on #22783, which exposes `options.Gitignore()` through the public API. At the moment, this is not a security problem, as this function is only used internal, but I thought it would be a good idea to make a PR to fix this for all types of Options files, not only Gitignore, to make it safe for the further. This PR should be merged before the linked PR. --------- Co-authored-by: Jason Song <i@wolfogre.com>
This commit is contained in:
parent
7e3b7c2346
commit
a12f575737
|
@ -79,22 +79,22 @@ func WalkLocales(callback func(path, name string, d fs.DirEntry, err error) erro
|
||||||
|
|
||||||
// Readme reads the content of a specific readme from static or custom path.
|
// Readme reads the content of a specific readme from static or custom path.
|
||||||
func Readme(name string) ([]byte, error) {
|
func Readme(name string) ([]byte, error) {
|
||||||
return fileFromDir(path.Join("readme", name))
|
return fileFromDir(path.Join("readme", path.Clean("/"+name)))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Gitignore reads the content of a specific gitignore from static or custom path.
|
// Gitignore reads the content of a specific gitignore from static or custom path.
|
||||||
func Gitignore(name string) ([]byte, error) {
|
func Gitignore(name string) ([]byte, error) {
|
||||||
return fileFromDir(path.Join("gitignore", name))
|
return fileFromDir(path.Join("gitignore", path.Clean("/"+name)))
|
||||||
}
|
}
|
||||||
|
|
||||||
// License reads the content of a specific license from static or custom path.
|
// License reads the content of a specific license from static or custom path.
|
||||||
func License(name string) ([]byte, error) {
|
func License(name string) ([]byte, error) {
|
||||||
return fileFromDir(path.Join("license", name))
|
return fileFromDir(path.Join("license", path.Clean("/"+name)))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Labels reads the content of a specific labels from static or custom path.
|
// Labels reads the content of a specific labels from static or custom path.
|
||||||
func Labels(name string) ([]byte, error) {
|
func Labels(name string) ([]byte, error) {
|
||||||
return fileFromDir(path.Join("label", name))
|
return fileFromDir(path.Join("label", path.Clean("/"+name)))
|
||||||
}
|
}
|
||||||
|
|
||||||
// fileFromDir is a helper to read files from static or custom path.
|
// fileFromDir is a helper to read files from static or custom path.
|
||||||
|
|
|
@ -84,22 +84,22 @@ func WalkLocales(callback func(path, name string, d fs.DirEntry, err error) erro
|
||||||
|
|
||||||
// Readme reads the content of a specific readme from bindata or custom path.
|
// Readme reads the content of a specific readme from bindata or custom path.
|
||||||
func Readme(name string) ([]byte, error) {
|
func Readme(name string) ([]byte, error) {
|
||||||
return fileFromDir(path.Join("readme", name))
|
return fileFromDir(path.Join("readme", path.Clean("/"+name)))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Gitignore reads the content of a gitignore locale from bindata or custom path.
|
// Gitignore reads the content of a gitignore locale from bindata or custom path.
|
||||||
func Gitignore(name string) ([]byte, error) {
|
func Gitignore(name string) ([]byte, error) {
|
||||||
return fileFromDir(path.Join("gitignore", name))
|
return fileFromDir(path.Join("gitignore", path.Clean("/"+name)))
|
||||||
}
|
}
|
||||||
|
|
||||||
// License reads the content of a specific license from bindata or custom path.
|
// License reads the content of a specific license from bindata or custom path.
|
||||||
func License(name string) ([]byte, error) {
|
func License(name string) ([]byte, error) {
|
||||||
return fileFromDir(path.Join("license", name))
|
return fileFromDir(path.Join("license", path.Clean("/"+name)))
|
||||||
}
|
}
|
||||||
|
|
||||||
// Labels reads the content of a specific labels from static or custom path.
|
// Labels reads the content of a specific labels from static or custom path.
|
||||||
func Labels(name string) ([]byte, error) {
|
func Labels(name string) ([]byte, error) {
|
||||||
return fileFromDir(path.Join("label", name))
|
return fileFromDir(path.Join("label", path.Clean("/"+name)))
|
||||||
}
|
}
|
||||||
|
|
||||||
// fileFromDir is a helper to read files from bindata or custom path.
|
// fileFromDir is a helper to read files from bindata or custom path.
|
||||||
|
|
Loading…
Reference in New Issue