paweld/fpc
1
0
Fork 0
mirror of https://gitlab.com/freepascal.org/fpc/source.git synced 2025-08-18 19:29:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

* Apply basic security on filename: do not allow files to be retrieved outside base dir/location

Browse Source 
git-svn-id: trunk@39404 -
This commit is contained in:
michael 2018-07-07 11:11:28 +00:00
parent 6cab9fd7db
commit bebd4483d2
1 changed files with 43 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
packages/fcl-web/src/base/fpwebfile.pp
View File

@ -30,6 +30,7 @@ Type
FRequestedFileName, FRequestedFileName,
FMappedFileName : String; FMappedFileName : String;
class procedure HandleSimpleFileRequest(ARequest: TRequest; AResponse: TResponse); static; class procedure HandleSimpleFileRequest(ARequest: TRequest; AResponse: TResponse); static;
Function AllowFile(Const AFileName : String) : Boolean; override;
Function MapFileName(Const AFileName : String) : String; override; Function MapFileName(Const AFileName : String) : String; override;
Function GetRequestFileName(Const ARequest : TRequest) : String; override; Function GetRequestFileName(Const ARequest : TRequest) : String; override;
Procedure HandleRequest(ARequest : TRequest; AResponse : TResponse); override; Procedure HandleRequest(ARequest : TRequest; AResponse : TResponse); override;
@ -79,21 +80,30 @@ end;
Procedure RegisterFileLocation(Const ALocation,ADirectory : String); Procedure RegisterFileLocation(Const ALocation,ADirectory : String);
Var
D,BaseDir : String;
begin begin
if (ALocation='') then if (ALocation='') then
Raise HTTPError.Create(SErrNoLocation); Raise HTTPError.Create(SErrNoLocation);
if Pos('/',ALocation)<>0 then if Pos('/',ALocation)<>0 then
Raise HTTPError.Create(SErrInvalidLocation); Raise HTTPError.Create(SErrInvalidLocation);
if not DirectoryExists(ADirectory) then
Raise HTTPError.Create(SErrInvalidDirectory);
if (Locations=Nil) then if (Locations=Nil) then
Locations:=TStringList.Create; Locations:=TStringList.Create;
if DefaultFileModuleClass=Nil then if DefaultFileModuleClass=Nil then
DefaultFileModuleClass:=TFPCustomFileModule; DefaultFileModuleClass:=TFPCustomFileModule;
BaseDir:=ExtractFilePath(ParamStr(0));
if (ADirectory='') then if (ADirectory='') then
Locations.Values[IncludeHTTPPathDelimiter(ALocation)]:=ExtractFilePath(ParamStr(0)) Locations.Values[IncludeHTTPPathDelimiter(ALocation)]:=BaseDir
else else
Locations.Values[IncludeHTTPPathDelimiter(ALocation)]:=IncludeTrailingPathDelimiter(ADirectory); begin
D:=ADirectory;
if Copy(D,1,1)<>'/' then
D:=BaseDir+D;
if not DirectoryExists(D) then
Raise HTTPError.CreateFmt(SErrInvalidDirectory,[D]);
Locations.Values[IncludeHTTPPathDelimiter(ALocation)]:=IncludeTrailingPathDelimiter(D);
end;
RegisterHTTPModule(ALocation,DefaultFileModuleClass,true); RegisterHTTPModule(ALocation,DefaultFileModuleClass,true);
end; end;
@ -110,13 +120,24 @@ begin
end; end;
end; end;
function TSimpleFileModule.AllowFile(const AFileName: String): Boolean;
Var
FN : String;
begin
FN:=ExpandFileName(aFileName);
FN:=ExtractRelativepath(IncludeTrailingPathDelimiter(BaseDir),FN);
Result:=Pos('..'+PathDelim,FN)=0;
end;
function TSimpleFileModule.MapFileName(const AFileName: String): String; function TSimpleFileModule.MapFileName(const AFileName: String): String;
begin begin
Result:=AFileName; Result:=AFileName;
While (Result<>'') and (Result[1]='/') do While (Result<>'') and (Result[1]='/') do
Delete(Result,1,1); Delete(Result,1,1);
Result:=IncludeTrailingPathDelimiter(BaseDir)+Result; Result:=ExpandFileName(IncludeTrailingPathDelimiter(BaseDir)+Result);
FRequestedFileName:=AFileName; FRequestedFileName:=AFileName;
FMappedFileName:=Result; FMappedFileName:=Result;
end; end;
@ -177,14 +198,28 @@ begin
begin begin
Result:=D+AFileName; Result:=D+AFileName;
DoDirSeparators(Result); DoDirSeparators(Result);
Result:=ExpandFileName(Result);
end; end;
end; end;
end; end;
Function TFPCustomFileModule.AllowFile(Const AFileName : String) : Boolean; Function TFPCustomFileModule.AllowFile(Const AFileName : String) : Boolean;
Var
BaseDir,FN : String;
begin begin
Result:=True; FN:=ExpandFileName(aFileName);
if (BaseURL='') then
BaseDir:=ExtractFilePath(Paramstr(0))
else
begin
BaseDir:=Locations.Values[BaseURL];
if (BaseURL='') then
BaseDir:=ExtractFilePath(Paramstr(0))
end;
FN:=ExtractRelativepath(BaseDir,aFileName);
Result:=Pos('..'+PathDelim,FN)=0;
end; end;
procedure TFPCustomFileModule.SendFile(Const AFileName : String; AResponse : TResponse); procedure TFPCustomFileModule.SendFile(Const AFileName : String; AResponse : TResponse);