vincent/aptly
1
0
Fork 0
mirror of https://github.com/aptly-dev/aptly.git synced 2026-06-18 07:32:35 +00:00
Code Issues Projects Releases Wiki Activity

fix(dput): validate :file path param to prevent directory traversal

Browse Source
This commit is contained in:
André Roth
2026-06-04 16:10:50 +00:00
parent 12390f102e
commit 4e4ca0f38e
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/files.go
+7 -1
View File
@@ -208,6 +208,12 @@ func apiFilesUploadOne(c *gin.Context) {
return
}
fileName := c.Params.ByName("file")
if !verifyPath(fileName) {
AbortWithJSONError(c, 400, fmt.Errorf("wrong file"))
return
}
path := filepath.Join(context.UploadPath(), utils.SanitizePath(c.Params.ByName("dir")))
err := os.MkdirAll(path, 0777)
@@ -217,7 +223,7 @@ func apiFilesUploadOne(c *gin.Context) {
}
stored := []string{}
destPath := filepath.Join(path, c.Params.ByName("file"))
destPath := filepath.Join(path, fileName)
dst, err := os.Create(destPath)
if err != nil {
AbortWithJSONError(c, 500, err)