From 2013eb21bf24842a99587a5c8e6349819338a874 Mon Sep 17 00:00:00 2001
From: seu <seu@panopticon.re>
Date: Wed, 19 Sep 2018 22:23:39 +0200
Subject: [PATCH] fix dir traversal vuln

---
 src/database/fs.rs | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/database/fs.rs b/src/database/fs.rs
index b6616bf..f528d23 100644
--- a/src/database/fs.rs
+++ b/src/database/fs.rs
@@ -188,16 +188,27 @@ impl Database for Filesystem {
 
     // XXX: slow
     fn by_uid(&self, uid: &str) -> Option<Box<[u8]>> {
-        let target = self.base.join("public").join("by-uid").join(uid);
+        use std::fs;
 
-        File::open(target).ok().and_then(|mut fd| {
-            let mut buf = Vec::default();
-            if fd.read_to_end(&mut buf).is_ok() {
-                Some(buf.into_boxed_slice())
-            } else {
-                None
-            }
-        })
+        let path = self.base.join("public").join("by-uid").join(uid);
+
+        fs::canonicalize(path).ok()
+            .and_then(|p| {
+                if p.starts_with(&self.base) {
+                    Some(p)
+                } else {
+                    None
+                }
+            }).and_then(|p| {
+                File::open(p).ok()
+            }).and_then(|mut fd| {
+                let mut buf = Vec::default();
+                if fd.read_to_end(&mut buf).is_ok() {
+                    Some(buf.into_boxed_slice())
+                } else {
+                    None
+                }
+            })
     }
 }