From 6addb02bbb27791f126cabd5e245fcb6a08ba24e Mon Sep 17 00:00:00 2001 From: Relintai Date: Sun, 10 Mar 2024 08:21:24 +0100 Subject: [PATCH] Added new wwwroot_get_simplified_abs_path() helper to FileCache. Also improved the other path helper methods. --- modules/web/file_cache.cpp | 31 ++++++++++++++++++++++++++++++- modules/web/file_cache.h | 2 ++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/modules/web/file_cache.cpp b/modules/web/file_cache.cpp index 763fe5242..c69bdc718 100644 --- a/modules/web/file_cache.cpp +++ b/modules/web/file_cache.cpp @@ -69,6 +69,13 @@ bool FileCache::wwwroot_has_file(const String &file_path) { String fp = _wwwroot_abs + file_path; + fp = fp.simplify_path(); + + // Don't allow going outside wwwroot + if (!fp.begins_with(_wwwroot_abs)) { + return false; + } + if (!FileAccess::exists(fp)) { return false; } @@ -92,7 +99,7 @@ bool FileCache::wwwroot_has_file(const String &file_path) { String absp = f->get_path_absolute(); memdelete(f); - //likely a directory walking attempt. e.g. ../../../../../etc/passwd + // likely a directory walking attempt. e.g. ../../../../../etc/passwd if (!absp.begins_with(_wwwroot_abs)) { return false; } @@ -107,6 +114,13 @@ String FileCache::wwwroot_get_file_abspath(const String &file_path) { String fp = _wwwroot_abs + file_path; + fp = fp.simplify_path(); + + // Don't allow going outside wwwroot + if (!fp.begins_with(_wwwroot_abs)) { + return String(); + } + if (!FileAccess::exists(fp)) { return String(); } @@ -138,6 +152,19 @@ String FileCache::wwwroot_get_file_abspath(const String &file_path) { return absp; } +String FileCache::wwwroot_get_simplified_abs_path(const String &file_path) { + String fp = _wwwroot_abs + file_path; + + fp = fp.simplify_path(); + + // Don't allow going outside wwwroot + if (!fp.begins_with(_wwwroot_abs)) { + return String(); + } + + return fp; +} + bool FileCache::get_cached_body(const String &path, String *body) { //TODO ERROR MACRO body == null @@ -264,6 +291,8 @@ void FileCache::_bind_methods() { ClassDB::bind_method(D_METHOD("wwwroot_has_file", "file_path"), &FileCache::wwwroot_has_file); ClassDB::bind_method(D_METHOD("wwwroot_get_file_abspath", "file_path"), &FileCache::wwwroot_get_file_abspath); + ClassDB::bind_method(D_METHOD("wwwroot_get_simplified_abs_path", "file_path"), &FileCache::wwwroot_get_simplified_abs_path); + ClassDB::bind_method(D_METHOD("get_cached_body", "path"), &FileCache::get_cached_body_bind); ClassDB::bind_method(D_METHOD("has_cached_body", "path"), &FileCache::has_cached_body); ClassDB::bind_method(D_METHOD("set_cached_body", "path", "body"), &FileCache::set_cached_body); diff --git a/modules/web/file_cache.h b/modules/web/file_cache.h index 4c8494a53..9cb3765eb 100644 --- a/modules/web/file_cache.h +++ b/modules/web/file_cache.h @@ -57,6 +57,8 @@ public: //e.g. http://127.0.0.1/a/b/d.jpg -> /a/b/d.jpg bool wwwroot_has_file(const String &file_path); String wwwroot_get_file_abspath(const String &file_path); + + String wwwroot_get_simplified_abs_path(const String &file_path); bool get_cached_body(const String &path, String *body); bool has_cached_body(const String &path);