saret/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-09-11 03:05:58 +03:00
Code Issues Packages Projects Releases Wiki Activity

Protect namedfile against path traversal, rocket only does it for pathbuf

Browse Source
This commit is contained in:
Daniel García
2021-07-15 19:15:55 +02:00
parent 3968bc8016
commit e5ec245626
3 changed files with 36 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/api/web.rs
View File

@@ -4,7 +4,7 @@ use rocket::{http::ContentType, response::content::Content, response::NamedFile,
use rocket_contrib::json::Json;
use serde_json::Value;
use crate::{error::Error, util::Cached, CONFIG};
use crate::{CONFIG, error::Error, util::{Cached, SafeString}};
pub fn routes() -> Vec<Route> {
// If addding more routes here, consider also adding them to
@@ -56,7 +56,7 @@ fn web_files(p: PathBuf) -> Cached<Option<NamedFile>> {
}
#[get("/attachments/<uuid>/<file_id>")]
fn attachments(uuid: String, file_id: String) -> Option<NamedFile> {
fn attachments(uuid: SafeString, file_id: SafeString) -> Option<NamedFile> {
NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file_id)).ok()
}