saltyming/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-05-20 18:43:57 +00:00
Code Activity

Protect namedfile against path traversal, rocket only does it for pathbuf

Browse source
This commit is contained in:
Daniel García 2021-07-15 19:15:55 +02:00
parent 3968bc8016
commit e5ec245626
No known key found for this signature in database
GPG key ID: FC8A7D14C3CD543A
3 changed files with 36 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/api/core/sends.rs
View file

@ -10,6 +10,7 @@ use crate::{
api::{ApiResult, EmptyResult, JsonResult, JsonUpcase, Notify, UpdateType},
auth::{Headers, Host},
db::{models::*, DbConn, DbPool},
util::SafeString,
CONFIG,
};
@ -335,7 +336,7 @@ fn post_access_file(
}
#[get("/sends/<send_id>/<file_id>?<t>")]
fn download_send(send_id: String, file_id: String, t: String) -> Option<NamedFile> {
fn download_send(send_id: SafeString, file_id: SafeString, t: String) -> Option<NamedFile> {
if let Ok(claims) = crate::auth::decode_send(&t) {
if claims.sub == format!("{}/{}", send_id, file_id) {
return NamedFile::open(Path::new(&CONFIG.sends_folder()).join(send_id).join(file_id)).ok();