[freenet-cvs] r25820 - trunk/freenet/src/freenet/clients/http

Wed, 25 Feb 2009 10:53:03 -0800 

Author: toad
Date: 2009-02-25 18:52:51 +0000 (Wed, 25 Feb 2009)
New Revision: 25820

Modified:
   trunk/freenet/src/freenet/clients/http/LocalFileInsertToadlet.java
Log:
Better fix for bug #2650


Modified: trunk/freenet/src/freenet/clients/http/LocalFileInsertToadlet.java
===================================================================
--- trunk/freenet/src/freenet/clients/http/LocalFileInsertToadlet.java  
2009-02-25 18:32:48 UTC (rev 25819)
+++ trunk/freenet/src/freenet/clients/http/LocalFileInsertToadlet.java  
2009-02-25 18:52:51 UTC (rev 25820)
@@ -55,6 +55,8 @@
                if(furi != null)
                        extra = "&key="+furi.toASCIIString();
                
+               File thisPath;
+               
                String path = request.getParam("path");
                if (path.length() == 0) {
                        if (currentPath == null) {
@@ -64,7 +66,7 @@
                        return;
                }
 
-               currentPath = new File(path).getCanonicalFile();
+               thisPath = new File(path).getCanonicalFile();
                
                
                PageMaker pageMaker = toadletContext.getPageMaker();
@@ -72,12 +74,21 @@
                HTMLNode pageNode = pageMaker.getPageNode(l10n("listingTitle", 
"path", currentPath.getAbsolutePath()), toadletContext);
                HTMLNode contentNode = pageMaker.getContentNode(pageNode);
 
-               if(!core.allowUploadFrom(currentPath)) {
+               if(!core.allowUploadFrom(thisPath)) {
                        HTMLNode infoboxE = 
contentNode.addChild(pageMaker.getInfobox("infobox-error",  "Forbidden"));
                        HTMLNode infoboxEContent = 
pageMaker.getContentNode(infoboxE);
                        infoboxEContent.addChild("#", l10n("dirAccessDenied"));
 
-                       currentPath = new 
File(System.getProperty("user.home")); // FIXME what if user.home is denied as 
well?
+                       thisPath = currentPath;
+                       if(!core.allowUploadFrom(thisPath)) {
+                               File[] allowedDirs = 
core.getAllowedUploadDirs();
+                               if(allowedDirs.length == 0) {
+                                       sendErrorPage(toadletContext, 403, 
"Forbidden", l10n("dirAccessDenied"));
+                                       return;
+                               } else {
+                                       thisPath = 
allowedDirs[core.node.fastWeakRandom.nextInt(allowedDirs.length)];
+                               }
+                       }
                }
 
                if(toadletContext.isAllowedFullAccess())
@@ -88,6 +99,9 @@
                HTMLNode listingDiv = infoboxDiv.addChild("div", "class", 
"infobox-content");
 
                if (currentPath.exists() && currentPath.isDirectory() && 
currentPath.canRead()) {
+                       // Known safe at this point
+                       currentPath = thisPath;
+
                        File[] files = currentPath.listFiles();
                        Arrays.sort(files, new Comparator<File>() {
                                public int compare(File firstFile, File 
secondFile) {

_______________________________________________
cvs mailing list
[email protected]
http://emu.freenetproject.org/cgi-bin/mailman/listinfo/cvs

Reply via email to