backport 5571 (#5573)
This commit is contained in:
parent
b45d58805a
commit
21c70e1ed2
2 changed files with 48 additions and 1 deletions
|
@ -559,6 +559,17 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
|
||||||
ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + branchName + "/" + form.TreePath)
|
ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + branchName + "/" + form.TreePath)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func cleanUploadFileName(name string) string {
|
||||||
|
name = strings.TrimLeft(name, "./\\")
|
||||||
|
name = strings.Replace(name, "../", "", -1)
|
||||||
|
name = strings.Replace(name, "..\\", "", -1)
|
||||||
|
name = strings.TrimPrefix(path.Clean(name), ".git/")
|
||||||
|
if name == ".git" {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
return name
|
||||||
|
}
|
||||||
|
|
||||||
// UploadFileToServer upload file to server file dir not git
|
// UploadFileToServer upload file to server file dir not git
|
||||||
func UploadFileToServer(ctx *context.Context) {
|
func UploadFileToServer(ctx *context.Context) {
|
||||||
file, header, err := ctx.Req.FormFile("file")
|
file, header, err := ctx.Req.FormFile("file")
|
||||||
|
@ -591,7 +602,13 @@ func UploadFileToServer(ctx *context.Context) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
upload, err := models.NewUpload(header.Filename, buf, file)
|
name := cleanUploadFileName(header.Filename)
|
||||||
|
if len(name) == 0 {
|
||||||
|
ctx.Error(500, "Upload file name is invalid")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
upload, err := models.NewUpload(name, buf, file)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ctx.Error(500, fmt.Sprintf("NewUpload: %v", err))
|
ctx.Error(500, fmt.Sprintf("NewUpload: %v", err))
|
||||||
return
|
return
|
||||||
|
|
30
routers/repo/editor_test.go
Normal file
30
routers/repo/editor_test.go
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
// Copyright 2018 The Gitea Authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a MIT-style
|
||||||
|
// license that can be found in the LICENSE file.
|
||||||
|
|
||||||
|
package repo
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"code.gitea.io/gitea/models"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestCleanUploadName(t *testing.T) {
|
||||||
|
models.PrepareTestEnv(t)
|
||||||
|
|
||||||
|
var kases = map[string]string{
|
||||||
|
".git/refs/master": "git/refs/master",
|
||||||
|
"/root/abc": "root/abc",
|
||||||
|
"./../../abc": "abc",
|
||||||
|
"a/../.git": "a/.git",
|
||||||
|
"a/../../../abc": "a/abc",
|
||||||
|
"../../../acd": "acd",
|
||||||
|
"../../.git/abc": "git/abc",
|
||||||
|
"..\\..\\.git/abc": "git/abc",
|
||||||
|
}
|
||||||
|
for k, v := range kases {
|
||||||
|
assert.EqualValues(t, v, cleanUploadFileName(k))
|
||||||
|
}
|
||||||
|
}
|
Reference in a new issue