From 6076674d3a699fcccd6509fe98af1d1dc731f1c7 Mon Sep 17 00:00:00 2001 From: zeripath Date: Fri, 4 Jan 2019 16:29:36 +0000 Subject: [PATCH] SECURITY: protect DeleteFilePost et al with cleanUploadFileName (#5631) (#5634) This commit wraps more of the TreePaths with cleanUploadFileName Signed-off-by: Andrew Thornton --- routers/repo/editor.go | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/routers/repo/editor.go b/routers/repo/editor.go index f64b0002a..4e3557dbb 100644 --- a/routers/repo/editor.go +++ b/routers/repo/editor.go @@ -163,7 +163,11 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo branchName = form.NewBranchName } - form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /") + form.TreePath = cleanUploadFileName(form.TreePath) + if len(form.TreePath) == 0 { + ctx.Error(500, "Upload file name is invalid") + return + } treeNames, treePaths := getParentTreeFields(form.TreePath) ctx.Data["TreePath"] = form.TreePath @@ -373,6 +377,13 @@ func DeleteFile(ctx *context.Context) { func DeleteFilePost(ctx *context.Context, form auth.DeleteRepoFileForm) { ctx.Data["PageIsDelete"] = true ctx.Data["BranchLink"] = ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL() + + ctx.Repo.TreePath = cleanUploadFileName(ctx.Repo.TreePath) + if len(ctx.Repo.TreePath) == 0 { + ctx.Error(500, "Delete file name is invalid") + return + } + ctx.Data["TreePath"] = ctx.Repo.TreePath canCommit := renderCommitRights(ctx) @@ -477,7 +488,12 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) { branchName = form.NewBranchName } - form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /") + form.TreePath = cleanUploadFileName(form.TreePath) + if len(form.TreePath) == 0 { + ctx.Error(500, "Upload file name is invalid") + return + } + treeNames, treePaths := getParentTreeFields(form.TreePath) if len(treeNames) == 0 { // We must at least have one element for user to input.