[Libreoffice-commits] online.git: loolwsd/FileServer.hpp loolwsd/LOOLWSD.cpp
Ashod Nakashian
ashod.nakashian at collabora.co.uk
Thu Apr 7 04:43:23 UTC 2016
loolwsd/FileServer.hpp | 24 ++++++++++++++++--------
loolwsd/LOOLWSD.cpp | 2 ++
2 files changed, 18 insertions(+), 8 deletions(-)
New commits:
commit 29c9ecba2a589417b0d5757e6169ba9c7d4332ea
Author: Ashod Nakashian <ashod.nakashian at collabora.co.uk>
Date: Wed Apr 6 23:38:08 2016 -0400
loolwsd: deny access to directories outside of FileServerRoot
Change-Id: Iea92982ebd5f111c946eb1b12f5dfd7602fffd70
Reviewed-on: https://gerrit.libreoffice.org/23879
Reviewed-by: Ashod Nakashian <ashnakash at gmail.com>
Tested-by: Ashod Nakashian <ashnakash at gmail.com>
diff --git a/loolwsd/FileServer.hpp b/loolwsd/FileServer.hpp
index 2dbbc4c..5a79793 100644
--- a/loolwsd/FileServer.hpp
+++ b/loolwsd/FileServer.hpp
@@ -110,13 +110,14 @@ public:
Poco::URI requestUri(request.getURI());
std::vector<std::string> requestSegments;
requestUri.getPathSegments(requestSegments);
-
- // TODO: We might want to package all files from leaflet to some other dir and restrict
- // file serving to it (?)
- const std::string endPoint = requestSegments[requestSegments.size() - 1];
+ if (requestSegments.size() < 1)
+ {
+ throw Poco::FileNotFoundException("Invalid file.");
+ }
if (request.getMethod() == HTTPRequest::HTTP_GET)
{
+ const std::string endPoint = requestSegments[requestSegments.size() - 1];
if (endPoint == "admin.html" ||
endPoint == "adminSettings.html" ||
endPoint == "adminAnalytics.html")
@@ -125,7 +126,14 @@ public:
throw Poco::Net::NotAuthenticatedException("Invalid admin login");
}
- const std::string filePath = requestUri.getPath();
+ const auto path = Poco::Path(LOOLWSD::FileServerRoot, requestUri.getPath());
+ const auto filepath = path.absolute().toString();
+ if (filepath.find(LOOLWSD::FileServerRoot) != 0)
+ {
+ // Accessing unauthorized path.
+ throw Poco::FileNotFoundException("Invalid file path.");
+ }
+
const std::size_t extPoint = endPoint.find_last_of(".");
if (extPoint == std::string::npos)
throw Poco::FileNotFoundException("Invalid file.");
@@ -142,12 +150,12 @@ public:
mimeType = "text/plain";
response.setContentType(mimeType);
- response.sendFile(LOOLWSD::FileServerRoot + requestUri.getPath(), mimeType);
+ response.sendFile(filepath, mimeType);
}
}
catch (Poco::Net::NotAuthenticatedException& exc)
{
- Log::info ("FileServerRequestHandler::NotAuthenticated");
+ Log::error("FileServerRequestHandler::NotAuthenticated");
response.set("WWW-Authenticate", "Basic realm=\"online\"");
response.setStatus(HTTPResponse::HTTP_UNAUTHORIZED);
response.setContentLength(0);
@@ -155,7 +163,7 @@ public:
}
catch (Poco::FileNotFoundException& exc)
{
- Log::info("FileServerRequestHandler:: File " + request.getURI() + " not found.");
+ Log::error("FileServerRequestHandler:: File [" + request.getURI() + "] not found.");
response.setStatus(HTTPResponse::HTTP_NOT_FOUND);
response.setContentLength(0);
response.send();
diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp
index 78b3915..91bbf4d 100644
--- a/loolwsd/LOOLWSD.cpp
+++ b/loolwsd/LOOLWSD.cpp
@@ -1219,6 +1219,8 @@ int LOOLWSD::main(const std::vector<std::string>& /*args*/)
if (FileServerRoot.empty())
FileServerRoot = Path(Application::instance().commandPath()).parent().parent().toString();
+ FileServerRoot = Poco::Path(FileServerRoot).absolute().toString();
+ Log::debug("FileServerRoot: " + FileServerRoot);
if (ClientPortNumber == MASTER_PORT_NUMBER)
throw IncompatibleOptionsException("port");
More information about the Libreoffice-commits
mailing list