ETM-Schurig/powersync-core
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix file path verification in webserver

Browse Source
This commit is contained in:
Michael Zanetti 2017-09-05 17:54:22 +02:00
parent a8b3cc30ca
commit 6a34ad46c8
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server/webserver.cpp
View File

@ -145,7 +145,7 @@ bool WebServer::verifyFile(QSslSocket *socket, const QString &fileName)
{
QFileInfo file(fileName);
// make shore the file exists
// make sure the file exists
if (!file.exists()) {
qCWarning(dcWebServer) << "requested file" << file.filePath() << "does not exist.";
HttpReply *reply = RestResource::createErrorReply(HttpReply::NotFound);
@ -155,8 +155,8 @@ bool WebServer::verifyFile(QSslSocket *socket, const QString &fileName)
return false;
}
// make shore the file is in the public directory
if (!file.canonicalFilePath().startsWith(m_configuration.publicFolder)) {
// make sure the file is in the public directory
if (!file.canonicalFilePath().startsWith(QDir(m_configuration.publicFolder).canonicalPath())) {
qCWarning(dcWebServer) << "requested file" << file.fileName() << "is outside the public folder.";
HttpReply *reply = RestResource::createErrorReply(HttpReply::Forbidden);
reply->setClientId(m_clientList.key(socket));
@ -165,7 +165,7 @@ bool WebServer::verifyFile(QSslSocket *socket, const QString &fileName)
return false;
}
// make shore we can read the file
// make sure we can read the file
if (!file.isReadable()) {
qCWarning(dcWebServer) << "requested file" << file.fileName() << "is not readable.";
HttpReply *reply = RestResource::createErrorReply(HttpReply::Forbidden);