mirror_html/filegator
1
0
Fork 0
mirror of https://github.com/filegator/filegator.git synced 2025-08-05 20:57:28 +02:00
Code Issues Projects Releases Wiki Activity

v7.4.4 fixes #116

Browse Source
This commit is contained in:
Milos Stojanovic
2020-07-28 13:04:25 +02:00
parent 8a16c9e36c
commit 812a0a2ce0
5 changed files with 59 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -2,6 +2,10 @@
## Upcoming... ## Upcoming...
## 7.4.4 - 2020-07-28 [Security]
* This version patches a security vulnerability #116 please upgrade
## 7.4.3 - 2020-07-18 ## 7.4.3 - 2020-07-18
* disabling axios response auto-transformation when editing content, fixes #110 * disabling axios response auto-transformation when editing content, fixes #110

3
backend/Services/Storage/Filesystem.php
View File

@@ -234,6 +234,9 @@ class Filesystem implements Service
private function applyPathPrefix(string $path): string private function applyPathPrefix(string $path): string
{ {
if (strpos($path, '..') !== false) {
$path = "/";
}
return $this->joinPaths($this->getPathPrefix(), $path); return $this->joinPaths($this->getPathPrefix(), $path);
} }

2
dist/index.php vendored
View File

@@ -39,7 +39,7 @@ if (! defined('APP_PUBLIC_PATH')) {
} }
define('APP_PUBLIC_DIR', __DIR__); define('APP_PUBLIC_DIR', __DIR__);
define('APP_VERSION', '7.4.3'); define('APP_VERSION', '7.4.4');
use Filegator\App; use Filegator\App;
use Filegator\Config\Config; use Filegator\Config\Config;

6
docs/install.md
View File

@@ -9,7 +9,7 @@ currentMenu: install
## Download precompiled build ## Download precompiled build
Precompiled build is created for non-developers. In this version, the frontend (html, css and javascript) is compiled for you and the source code is removed so the final archive contains only minimum files. Precompiled build is created for non-developers. In this version, the frontend (html, css and javascript) is compiled for you and the source code is removed so the final archive contains only minimum files.
- Download: [v7.4.3](https://github.com/filegator/static/raw/master/builds/filegator_v7.4.3.zip) - Download: [v7.4.4](https://github.com/filegator/static/raw/master/builds/filegator_v7.4.4.zip)
- Unzip files and upload them to your PHP server - Unzip files and upload them to your PHP server
- Make sure your webserver can read and write to `filegator/repository/` and `filegator/private/` folders - Make sure your webserver can read and write to `filegator/repository/` and `filegator/private/` folders
- Set the website document root to `filegator/dist/` directory. This is also known as 'public' folder - Set the website document root to `filegator/dist/` directory. This is also known as 'public' folder
@@ -26,8 +26,8 @@ apt update
apt install -y wget unzip php apache2 libapache2-mod-php php-zip apt install -y wget unzip php apache2 libapache2-mod-php php-zip
cd /var/www/ cd /var/www/
wget https://github.com/filegator/static/raw/master/builds/filegator_v7.4.3.zip wget https://github.com/filegator/static/raw/master/builds/filegator_v7.4.4.zip
unzip filegator_v7.4.3.zip && rm filegator_v7.4.3.zip unzip filegator_v7.4.4.zip && rm filegator_v7.4.4.zip
chown -R www-data:www-data filegator/ chown -R www-data:www-data filegator/
chmod -R 775 filegator/ chmod -R 775 filegator/

48
tests/backend/Unit/FilesystemTest.php
View File

@@ -401,6 +401,9 @@ class FilesystemTest extends TestCase
$this->assertEquals('/john/test', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/test'])); $this->assertEquals('/john/test', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/test']));
$this->assertEquals('/john/test.txt', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt'])); $this->assertEquals('/john/test.txt', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt']));
$this->assertEquals('/john/test.txt/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt/'])); $this->assertEquals('/john/test.txt/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['test.txt/']));
// no escaping path to upper dir
$this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/..']));
$this->assertEquals('/john/', $this->invokeMethod($this->storage, 'applyPathPrefix', ['/sub/../../']));
} }
public function testStripPathPrefix() public function testStripPathPrefix()
@@ -770,4 +773,49 @@ class FilesystemTest extends TestCase
$this->assertDirectoryExists(TEST_REPOSITORY.'/test2/test1/'); $this->assertDirectoryExists(TEST_REPOSITORY.'/test2/test1/');
} }
public function testCannotGoUpTheHomeDirUsingPathFiddle()
{
$this->storage->createFile('/', 'hidden.txt');
$this->storage->createDir('/', 'johnsub');
$this->storage->createFile('/johnsub', 'john.txt');
$this->storage->setPathPrefix('/johnsub');
$ret = $this->storage->getDirectoryCollection('/');
$ret->resetTimestamps(-1);
$this->assertJsonStringEqualsJsonString(json_encode([
'location' => '/',
'files' => [
0 => [
'type' => 'file',
'path' => '/john.txt',
'name' => 'john.txt',
'size' => 0,
'time' => -1,
],
],
]), json_encode($ret));
$ret = $this->storage->getDirectoryCollection('/..');
$ret->resetTimestamps(-1);
$this->assertJsonStringEqualsJsonString(json_encode([
'location' => '/..',
'files' => [
0 => [
'type' => 'back',
'path' => '/',
'name' => '..',
'size' => 0,
'time' => -1,
],
1 => [
'type' => 'file',
'path' => '/john.txt',
'name' => 'john.txt',
'size' => 0,
'time' => -1,
],
],
]), json_encode($ret));
}
} }