diff options
| author | JoramWilander <jwawilander@gmail.com> | 2015-07-21 15:18:17 -0400 |
|---|---|---|
| committer | JoramWilander <jwawilander@gmail.com> | 2015-07-21 19:22:04 -0400 |
| commit | 39abf24708870cec71a84c01063e647b859b2b67 (patch) | |
| tree | 16b57362681ad4d771a89e11e649a6d942e8ccb6 | |
| parent | 04408eea375439d69b61d65155fea863b3b1834c (diff) | |
| download | chat-39abf24708870cec71a84c01063e647b859b2b67.tar.gz chat-39abf24708870cec71a84c01063e647b859b2b67.tar.bz2 chat-39abf24708870cec71a84c01063e647b859b2b67.zip | |
added sanitization to filenames to remove the possibility of relative paths
| -rw-r--r-- | api/file.go | 8 | ||||
| -rw-r--r-- | api/file_test.go | 8 |
2 files changed, 12 insertions, 4 deletions
diff --git a/api/file.go b/api/file.go index 2abaca709..1dd179422 100644 --- a/api/file.go +++ b/api/file.go @@ -89,9 +89,11 @@ func uploadFile(c *Context, w http.ResponseWriter, r *http.Request) { buf := bytes.NewBuffer(nil) io.Copy(buf, file) + filename := filepath.Base(files[i].Filename) + uid := model.NewId() - path := "teams/" + c.Session.TeamId + "/channels/" + channelId + "/users/" + c.Session.UserId + "/" + uid + "/" + files[i].Filename + path := "teams/" + c.Session.TeamId + "/channels/" + channelId + "/users/" + c.Session.UserId + "/" + uid + "/" + filename if err := writeFile(buf.Bytes(), path); err != nil { c.Err = err @@ -99,11 +101,11 @@ func uploadFile(c *Context, w http.ResponseWriter, r *http.Request) { } if model.IsFileExtImage(filepath.Ext(files[i].Filename)) { - imageNameList = append(imageNameList, uid+"/"+files[i].Filename) + imageNameList = append(imageNameList, uid+"/"+filename) imageDataList = append(imageDataList, buf.Bytes()) } - encName := utils.UrlEncode(files[i].Filename) + encName := utils.UrlEncode(filename) fileUrl := "/" + channelId + "/" + c.Session.UserId + "/" + uid + "/" + encName resStruct.Filenames = append(resStruct.Filenames, fileUrl) diff --git a/api/file_test.go b/api/file_test.go index d5817234d..3f414d768 100644 --- a/api/file_test.go +++ b/api/file_test.go @@ -38,7 +38,7 @@ func TestUploadFile(t *testing.T) { body := &bytes.Buffer{} writer := multipart.NewWriter(body) - part, err := writer.CreateFormFile("files", "test.png") + part, err := writer.CreateFormFile("files", "../test.png") if err != nil { t.Fatal(err) } @@ -75,6 +75,9 @@ func TestUploadFile(t *testing.T) { filenames := strings.Split(resp.Data.(*model.FileUploadResponse).Filenames[0], "/") filename := filenames[len(filenames)-2] + "/" + filenames[len(filenames)-1] + if strings.Contains(filename, "../") { + t.Fatal("relative path should have been sanitized out") + } fileId := strings.Split(filename, ".")[0] var auth aws.Auth @@ -104,6 +107,9 @@ func TestUploadFile(t *testing.T) { } else if utils.Cfg.ServiceSettings.UseLocalStorage && len(utils.Cfg.ServiceSettings.StorageDirectory) > 0 { filenames := strings.Split(resp.Data.(*model.FileUploadResponse).Filenames[0], "/") filename := filenames[len(filenames)-2] + "/" + filenames[len(filenames)-1] + if strings.Contains(filename, "../") { + t.Fatal("relative path should have been sanitized out") + } fileId := strings.Split(filename, ".")[0] // wait a bit for files to ready |