fix dir traversal vuln
This commit is contained in:
parent
6070c58bd0
commit
2013eb21bf
|
@ -188,9 +188,20 @@ impl Database for Filesystem {
|
||||||
|
|
||||||
// XXX: slow
|
// XXX: slow
|
||||||
fn by_uid(&self, uid: &str) -> Option<Box<[u8]>> {
|
fn by_uid(&self, uid: &str) -> Option<Box<[u8]>> {
|
||||||
let target = self.base.join("public").join("by-uid").join(uid);
|
use std::fs;
|
||||||
|
|
||||||
File::open(target).ok().and_then(|mut fd| {
|
let path = self.base.join("public").join("by-uid").join(uid);
|
||||||
|
|
||||||
|
fs::canonicalize(path).ok()
|
||||||
|
.and_then(|p| {
|
||||||
|
if p.starts_with(&self.base) {
|
||||||
|
Some(p)
|
||||||
|
} else {
|
||||||
|
None
|
||||||
|
}
|
||||||
|
}).and_then(|p| {
|
||||||
|
File::open(p).ok()
|
||||||
|
}).and_then(|mut fd| {
|
||||||
let mut buf = Vec::default();
|
let mut buf = Vec::default();
|
||||||
if fd.read_to_end(&mut buf).is_ok() {
|
if fd.read_to_end(&mut buf).is_ok() {
|
||||||
Some(buf.into_boxed_slice())
|
Some(buf.into_boxed_slice())
|
||||||
|
|
Loading…
Reference in New Issue