mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-08-07 02:10:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improve StoreFile by adding checks and skipping ./ in the stored path

Browse source 
Ref #366.
This commit is contained in:
Paul Kulchenko 2022-03-20 11:37:40 -07:00
parent d0782e983f
commit eed710020b
1 changed files with 11 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tool/net/redbean.c
View file

@ -3515,11 +3515,17 @@ static void StoreAsset(char *path, size_t pathlen, char *data, size_t datalen,
static void StoreFile(char *path) {
char *p;
size_t n;
size_t plen, tlen;
struct stat st;
if (lstat(path, &st) == -1) DIEF("Can't stat %`'s: %m", path);
if (!(p = xslurp(path, &n))) DIEF("Can't read %`'s: %m", path);
StoreAsset(path, strlen(path), p, n, st.st_mode & 0777);
char *target = path;
if (startswith(target, "./")) target += 2;
tlen = strlen(target);
if (!IsReasonablePath(target, tlen))
DIEF("(cfg) error: can't store %`'s: contains '.' or '..' segments", target);
if (lstat(path, &st) == -1) DIEF("(cfg) error: can't stat %`'s: %m", path);
if (!(p = xslurp(path, &plen))) DIEF("(cfg) error: can't read %`'s: %m", path);
StoreAsset(target, tlen, p, plen, st.st_mode & 0777);
free(p);
}
static void StorePath(const char *dirpath) {
@ -3528,7 +3534,7 @@ static void StorePath(const char *dirpath) {
struct dirent *e;
if (!isdirectory(dirpath) && !endswith(dirpath, "/"))
return StoreFile(dirpath);
if (!(d = opendir(dirpath))) DIEF("Can't open %`'s", dirpath);
if (!(d = opendir(dirpath))) DIEF("(cfg) error: can't open %`'s", dirpath);
while ((e = readdir(d))) {
if (strcmp(e->d_name, ".") == 0) continue;
if (strcmp(e->d_name, "..") == 0) continue;