third-party-mirrors/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2025-04-23 15:20:33 +03:00
Code Issues Packages Projects Releases Wiki Activity

Tightening up the .. and . protection a smidge

Browse Source
This commit is contained in:
Rob Emery 2025-01-11 17:38:05 +00:00
parent 77cf5ccacf
commit bb3cbce72a
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
dlna/contenddirectoryservice.go
View File

@ -10,6 +10,7 @@ import (
"os"
"path"
"path/filepath"
"slices"
"strings"
"time"
@ -194,13 +195,11 @@ func (cds *contentDirectoryService) readContainer(o object, host string) (ret []
}
func (cds *contentDirectoryService) doFiles(ret []interface{}, oPath string, host string) ([]interface{}, error) {
pathUnderFiles := strings.TrimPrefix(oPath, "/Music/Files")
//TODO make not terrible
if(strings.Contains(pathUnderFiles, "/..")) {
pathComponents := strings.Split(strings.TrimPrefix(oPath, "/Music/Files"), "/")
if(slices.Contains(pathComponents, "..") || slices.Contains(pathComponents, ".")) {
log.Error("Attempt to use .. or . detected", oPath, host)
return ret, nil
}
pathComponents := strings.Split(pathUnderFiles, "/")
totalPathArrayBits := append([]string{conf.Server.MusicFolder}, pathComponents...)
localFilePath := filepath.Join(totalPathArrayBits...)