Fossil SCM
Do not allow /ext to return files whose names begin with "." or "-" even if those files occur in the top-level extroot directory.
Commit
e91de28b69ca4e2a6121a39e8bd7a6f667b2c6457cff19f35be6a79cfd02a164
Parent
893fca3a15eff2a…
1 file changed
+4
+4
| --- src/extcgi.c | ||
| +++ src/extcgi.c | ||
| @@ -126,10 +126,14 @@ | ||
| 126 | 126 | goto ext_not_found; |
| 127 | 127 | } |
| 128 | 128 | if( zName==0 ){ |
| 129 | 129 | zFailReason = "no path beyond /ext"; |
| 130 | 130 | goto ext_not_found; |
| 131 | + } | |
| 132 | + if( zName[0]=='.' || zName[0]=='-' ){ | |
| 133 | + zFailReason = "path element begins with '.' or '-'"; | |
| 134 | + goto ext_not_found; | |
| 131 | 135 | } |
| 132 | 136 | if( file_isdir(g.zExtRoot,ExtFILE)!=1 ){ |
| 133 | 137 | zFailReason = "extroot is not a directory"; |
| 134 | 138 | goto ext_not_found; |
| 135 | 139 | } |
| 136 | 140 |
| --- src/extcgi.c | |
| +++ src/extcgi.c | |
| @@ -126,10 +126,14 @@ | |
| 126 | goto ext_not_found; |
| 127 | } |
| 128 | if( zName==0 ){ |
| 129 | zFailReason = "no path beyond /ext"; |
| 130 | goto ext_not_found; |
| 131 | } |
| 132 | if( file_isdir(g.zExtRoot,ExtFILE)!=1 ){ |
| 133 | zFailReason = "extroot is not a directory"; |
| 134 | goto ext_not_found; |
| 135 | } |
| 136 |
| --- src/extcgi.c | |
| +++ src/extcgi.c | |
| @@ -126,10 +126,14 @@ | |
| 126 | goto ext_not_found; |
| 127 | } |
| 128 | if( zName==0 ){ |
| 129 | zFailReason = "no path beyond /ext"; |
| 130 | goto ext_not_found; |
| 131 | } |
| 132 | if( zName[0]=='.' || zName[0]=='-' ){ |
| 133 | zFailReason = "path element begins with '.' or '-'"; |
| 134 | goto ext_not_found; |
| 135 | } |
| 136 | if( file_isdir(g.zExtRoot,ExtFILE)!=1 ){ |
| 137 | zFailReason = "extroot is not a directory"; |
| 138 | goto ext_not_found; |
| 139 | } |
| 140 |