beenull/sftpgo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

WebAPI: ensure to check rootfs before creating directories

Browse source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2024-04-01 12:40:35 +02:00
parent 1620e16b89
commit aaae191710
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
2 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
internal/httpd/api_http_user.go
View file

@ -90,6 +90,7 @@ func createUserDir(w http.ResponseWriter, r *http.Request) {
} }
defer common.Connections.Remove(connection.GetID()) defer common.Connections.Remove(connection.GetID())
connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
name := connection.User.GetCleanedPath(r.URL.Query().Get("path")) name := connection.User.GetCleanedPath(r.URL.Query().Get("path"))
if getBoolQueryParam(r, "mkdir_parents") { if getBoolQueryParam(r, "mkdir_parents") {
if err = connection.CheckParentDirs(path.Dir(name)); err != nil { if err = connection.CheckParentDirs(path.Dir(name)); err != nil {
@ -97,7 +98,6 @@ func createUserDir(w http.ResponseWriter, r *http.Request) {
return return
} }
} }
connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
err = connection.CreateDir(name, true) err = connection.CreateDir(name, true)
if err != nil { if err != nil {
sendAPIResponse(w, r, err, fmt.Sprintf("Unable to create directory %q", name), getMappedStatusCode(err)) sendAPIResponse(w, r, err, fmt.Sprintf("Unable to create directory %q", name), getMappedStatusCode(err))
@ -273,6 +273,7 @@ func uploadUserFile(w http.ResponseWriter, r *http.Request) {
} }
defer common.Connections.Remove(connection.GetID()) defer common.Connections.Remove(connection.GetID())
connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
filePath := connection.User.GetCleanedPath(r.URL.Query().Get("path")) filePath := connection.User.GetCleanedPath(r.URL.Query().Get("path"))
if getBoolQueryParam(r, "mkdir_parents") { if getBoolQueryParam(r, "mkdir_parents") {
if err = connection.CheckParentDirs(path.Dir(filePath)); err != nil { if err = connection.CheckParentDirs(path.Dir(filePath)); err != nil {
@ -284,7 +285,6 @@ func uploadUserFile(w http.ResponseWriter, r *http.Request) {
} }
func doUploadFile(w http.ResponseWriter, r *http.Request, connection *Connection, filePath string) error { func doUploadFile(w http.ResponseWriter, r *http.Request, connection *Connection, filePath string) error {
connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
writer, err := connection.getFileWriter(filePath) writer, err := connection.getFileWriter(filePath)
if err != nil { if err != nil {
sendAPIResponse(w, r, err, fmt.Sprintf("Unable to write file %q", filePath), getMappedStatusCode(err)) sendAPIResponse(w, r, err, fmt.Sprintf("Unable to write file %q", filePath), getMappedStatusCode(err))
@ -342,6 +342,7 @@ func uploadUserFiles(w http.ResponseWriter, r *http.Request) {
sendAPIResponse(w, r, nil, "No files uploaded!", http.StatusBadRequest) sendAPIResponse(w, r, nil, "No files uploaded!", http.StatusBadRequest)
return return
} }
connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
if getBoolQueryParam(r, "mkdir_parents") { if getBoolQueryParam(r, "mkdir_parents") {
if err = connection.CheckParentDirs(parentDir); err != nil { if err = connection.CheckParentDirs(parentDir); err != nil {
sendAPIResponse(w, r, err, "Error checking parent directories", getMappedStatusCode(err)) sendAPIResponse(w, r, err, "Error checking parent directories", getMappedStatusCode(err))
@ -354,7 +355,6 @@ func uploadUserFiles(w http.ResponseWriter, r *http.Request) {
func doUploadFiles(w http.ResponseWriter, r *http.Request, connection *Connection, parentDir string, func doUploadFiles(w http.ResponseWriter, r *http.Request, connection *Connection, parentDir string,
files []*multipart.FileHeader, files []*multipart.FileHeader,
) int { ) int {
connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
uploaded := 0 uploaded := 0
connection.User.UploadBandwidth = 0 connection.User.UploadBandwidth = 0
for _, f := range files { for _, f := range files {

2
internal/httpd/api_shares.go
View file

@ -358,6 +358,7 @@ func (s *httpdServer) uploadFileToShare(w http.ResponseWriter, r *http.Request)
} }
defer common.Connections.Remove(connection.GetID()) defer common.Connections.Remove(connection.GetID())
connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
if getBoolQueryParam(r, "mkdir_parents") { if getBoolQueryParam(r, "mkdir_parents") {
if err = connection.CheckParentDirs(path.Dir(filePath)); err != nil { if err = connection.CheckParentDirs(path.Dir(filePath)); err != nil {
sendAPIResponse(w, r, err, "Error checking parent directories", getMappedStatusCode(err)) sendAPIResponse(w, r, err, "Error checking parent directories", getMappedStatusCode(err))
@ -417,6 +418,7 @@ func (s *httpdServer) uploadFilesToShare(w http.ResponseWriter, r *http.Request)
} }
dataprovider.UpdateShareLastUse(&share, len(files)) //nolint:errcheck dataprovider.UpdateShareLastUse(&share, len(files)) //nolint:errcheck
connection.User.CheckFsRoot(connection.ID) //nolint:errcheck
numUploads := doUploadFiles(w, r, connection, share.Paths[0], files) numUploads := doUploadFiles(w, r, connection, share.Paths[0], files)
if numUploads != len(files) { if numUploads != len(files) {
dataprovider.UpdateShareLastUse(&share, numUploads-len(files)) //nolint:errcheck dataprovider.UpdateShareLastUse(&share, numUploads-len(files)) //nolint:errcheck