Apps/ImageApi
1
0
Fork 0
Code Issues Pull Requests 1 Releases Wiki Activity

Fix LFI bug

Browse Source 
Previously we blindly read whatever path the client provided and if the
user could read the file it would return from the call.
This commit is contained in:
Cameron Cordes
2020-09-15 16:35:05 -04:00
parent 2343351a4d
commit d2f7423c6c
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/main.rs
View File

@@ -203,7 +203,11 @@ async fn stream_video(
let playlist = &path.path; let playlist = &path.path;
println!("Playlist: {}", playlist); println!("Playlist: {}", playlist);
if let Ok(file) = NamedFile::open(playlist) { // Extract video playlist dir to dotenv
if !playlist.starts_with("tmp") || playlist.contains("..") {
HttpResponse::NotFound().finish()
}
else if let Ok(file) = NamedFile::open(playlist) {
file.into_response(&request).unwrap() file.into_response(&request).unwrap()
} else { } else {
HttpResponse::NotFound().finish() HttpResponse::NotFound().finish()