diff options
| author | techknowlogick <hello@techknowlogick.com> | 2018-12-21 03:22:56 -0500 |
|---|---|---|
| committer | Lunny Xiao <xiaolunwen@gmail.com> | 2018-12-21 16:22:56 +0800 |
| commit | 21c70e1ed27420646d0d85f044facc8c84be3d5f (patch) | |
| tree | 9291db36276471a9122559b890993f5291a213e1 | |
| parent | b45d58805a3d7a1294713a95faa39c016ebd3930 (diff) | |
| download | gitea-21c70e1ed27420646d0d85f044facc8c84be3d5f.tar.gz gitea-21c70e1ed27420646d0d85f044facc8c84be3d5f.zip | |
backport 5571 (#5573)
| -rw-r--r-- | routers/repo/editor.go | 19 | ||||
| -rw-r--r-- | routers/repo/editor_test.go | 30 |
2 files changed, 48 insertions, 1 deletions
diff --git a/routers/repo/editor.go b/routers/repo/editor.go index d36bcc4c36..f64b0002ae 100644 --- a/routers/repo/editor.go +++ b/routers/repo/editor.go @@ -559,6 +559,17 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) { ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + branchName + "/" + form.TreePath) } +func cleanUploadFileName(name string) string { + name = strings.TrimLeft(name, "./\\") + name = strings.Replace(name, "../", "", -1) + name = strings.Replace(name, "..\\", "", -1) + name = strings.TrimPrefix(path.Clean(name), ".git/") + if name == ".git" { + return "" + } + return name +} + // UploadFileToServer upload file to server file dir not git func UploadFileToServer(ctx *context.Context) { file, header, err := ctx.Req.FormFile("file") @@ -591,7 +602,13 @@ func UploadFileToServer(ctx *context.Context) { } } - upload, err := models.NewUpload(header.Filename, buf, file) + name := cleanUploadFileName(header.Filename) + if len(name) == 0 { + ctx.Error(500, "Upload file name is invalid") + return + } + + upload, err := models.NewUpload(name, buf, file) if err != nil { ctx.Error(500, fmt.Sprintf("NewUpload: %v", err)) return diff --git a/routers/repo/editor_test.go b/routers/repo/editor_test.go new file mode 100644 index 0000000000..e5b9570205 --- /dev/null +++ b/routers/repo/editor_test.go @@ -0,0 +1,30 @@ +// Copyright 2018 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package repo + +import ( + "testing" + + "code.gitea.io/gitea/models" + "github.com/stretchr/testify/assert" +) + +func TestCleanUploadName(t *testing.T) { + models.PrepareTestEnv(t) + + var kases = map[string]string{ + ".git/refs/master": "git/refs/master", + "/root/abc": "root/abc", + "./../../abc": "abc", + "a/../.git": "a/.git", + "a/../../../abc": "a/abc", + "../../../acd": "acd", + "../../.git/abc": "git/abc", + "..\\..\\.git/abc": "git/abc", + } + for k, v := range kases { + assert.EqualValues(t, v, cleanUploadFileName(k)) + } +} |