loolwsd/FileServer.hpp | 24 ++++++++++++++++-------- loolwsd/LOOLWSD.cpp | 2 ++ 2 files changed, 18 insertions(+), 8 deletions(-)
New commits: commit 29c9ecba2a589417b0d5757e6169ba9c7d4332ea Author: Ashod Nakashian <[email protected]> Date: Wed Apr 6 23:38:08 2016 -0400 loolwsd: deny access to directories outside of FileServerRoot Change-Id: Iea92982ebd5f111c946eb1b12f5dfd7602fffd70 Reviewed-on: https://gerrit.libreoffice.org/23879 Reviewed-by: Ashod Nakashian <[email protected]> Tested-by: Ashod Nakashian <[email protected]> diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp index 2dbbc4c..5a79793 100644 --- a/loolwsd/FileServer.hpp +++ b/loolwsd/FileServer.hpp @@ -110,13 +110,14 @@ public: Poco::URI requestUri(request.getURI()); std::vector<std::string> requestSegments; requestUri.getPathSegments(requestSegments); - - // TODO: We might want to package all files from leaflet to some other dir and restrict - // file serving to it (?) - const std::string endPoint = requestSegments[requestSegments.size() - 1]; + if (requestSegments.size() < 1) + { + throw Poco::FileNotFoundException("Invalid file."); + } if (request.getMethod() == HTTPRequest::HTTP_GET) { + const std::string endPoint = requestSegments[requestSegments.size() - 1]; if (endPoint == "admin.html" || endPoint == "adminSettings.html" || endPoint == "adminAnalytics.html") @@ -125,7 +126,14 @@ public: throw Poco::Net::NotAuthenticatedException("Invalid admin login"); } - const std::string filePath = requestUri.getPath(); + const auto path = Poco::Path(LOOLWSD::FileServerRoot, requestUri.getPath()); + const auto filepath = path.absolute().toString(); + if (filepath.find(LOOLWSD::FileServerRoot) != 0) + { + // Accessing unauthorized path. + throw Poco::FileNotFoundException("Invalid file path."); + } + const std::size_t extPoint = endPoint.find_last_of("."); if (extPoint == std::string::npos) throw Poco::FileNotFoundException("Invalid file."); @@ -142,12 +150,12 @@ public: mimeType = "text/plain"; response.setContentType(mimeType); - response.sendFile(LOOLWSD::FileServerRoot + requestUri.getPath(), mimeType); + response.sendFile(filepath, mimeType); } } catch (Poco::Net::NotAuthenticatedException& exc) { - Log::info ("FileServerRequestHandler::NotAuthenticated"); + Log::error("FileServerRequestHandler::NotAuthenticated"); response.set("WWW-Authenticate", "Basic realm=\"online\""); response.setStatus(HTTPResponse::HTTP_UNAUTHORIZED); response.setContentLength(0); @@ -155,7 +163,7 @@ public: } catch (Poco::FileNotFoundException& exc) { - Log::info("FileServerRequestHandler:: File " + request.getURI() + " not found."); + Log::error("FileServerRequestHandler:: File [" + request.getURI() + "] not found."); response.setStatus(HTTPResponse::HTTP_NOT_FOUND); response.setContentLength(0); response.send(); diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp index 78b3915..91bbf4d 100644 --- a/loolwsd/LOOLWSD.cpp +++ b/loolwsd/LOOLWSD.cpp @@ -1219,6 +1219,8 @@ int LOOLWSD::main(const std::vector<std::string>& /*args*/) if (FileServerRoot.empty()) FileServerRoot = Path(Application::instance().commandPath()).parent().parent().toString(); + FileServerRoot = Poco::Path(FileServerRoot).absolute().toString(); + Log::debug("FileServerRoot: " + FileServerRoot); if (ClientPortNumber == MASTER_PORT_NUMBER) throw IncompatibleOptionsException("port"); _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
