mirror of
				https://github.com/go-gitea/gitea
				synced 2025-10-26 08:58:24 +00:00 
			
		
		
		
	Clean Path in Options (#23006)
At the Moment it is possible to read files in another Directory as
supposed using the Options functions. e.g.
`options.Gitignore("../label/Default) `. This was discovered while
working on #22783, which exposes `options.Gitignore()` through the
public API. At the moment, this is not a security problem, as this
function is only used internal, but I thought it would be a good idea to
make a PR to fix this for all types of Options files, not only
Gitignore, to make it safe for the further. This PR should be merged
before the linked PR.
---------
Co-authored-by: Jason Song <i@wolfogre.com>
			
			
This commit is contained in:
		| @@ -79,22 +79,22 @@ func WalkLocales(callback func(path, name string, d fs.DirEntry, err error) erro | ||||
|  | ||||
| // Readme reads the content of a specific readme from static or custom path. | ||||
| func Readme(name string) ([]byte, error) { | ||||
| 	return fileFromDir(path.Join("readme", name)) | ||||
| 	return fileFromDir(path.Join("readme", path.Clean("/"+name))) | ||||
| } | ||||
|  | ||||
| // Gitignore reads the content of a specific gitignore from static or custom path. | ||||
| func Gitignore(name string) ([]byte, error) { | ||||
| 	return fileFromDir(path.Join("gitignore", name)) | ||||
| 	return fileFromDir(path.Join("gitignore", path.Clean("/"+name))) | ||||
| } | ||||
|  | ||||
| // License reads the content of a specific license from static or custom path. | ||||
| func License(name string) ([]byte, error) { | ||||
| 	return fileFromDir(path.Join("license", name)) | ||||
| 	return fileFromDir(path.Join("license", path.Clean("/"+name))) | ||||
| } | ||||
|  | ||||
| // Labels reads the content of a specific labels from static or custom path. | ||||
| func Labels(name string) ([]byte, error) { | ||||
| 	return fileFromDir(path.Join("label", name)) | ||||
| 	return fileFromDir(path.Join("label", path.Clean("/"+name))) | ||||
| } | ||||
|  | ||||
| // fileFromDir is a helper to read files from static or custom path. | ||||
|   | ||||
| @@ -84,22 +84,22 @@ func WalkLocales(callback func(path, name string, d fs.DirEntry, err error) erro | ||||
|  | ||||
| // Readme reads the content of a specific readme from bindata or custom path. | ||||
| func Readme(name string) ([]byte, error) { | ||||
| 	return fileFromDir(path.Join("readme", name)) | ||||
| 	return fileFromDir(path.Join("readme", path.Clean("/"+name))) | ||||
| } | ||||
|  | ||||
| // Gitignore reads the content of a gitignore locale from bindata or custom path. | ||||
| func Gitignore(name string) ([]byte, error) { | ||||
| 	return fileFromDir(path.Join("gitignore", name)) | ||||
| 	return fileFromDir(path.Join("gitignore", path.Clean("/"+name))) | ||||
| } | ||||
|  | ||||
| // License reads the content of a specific license from bindata or custom path. | ||||
| func License(name string) ([]byte, error) { | ||||
| 	return fileFromDir(path.Join("license", name)) | ||||
| 	return fileFromDir(path.Join("license", path.Clean("/"+name))) | ||||
| } | ||||
|  | ||||
| // Labels reads the content of a specific labels from static or custom path. | ||||
| func Labels(name string) ([]byte, error) { | ||||
| 	return fileFromDir(path.Join("label", name)) | ||||
| 	return fileFromDir(path.Join("label", path.Clean("/"+name))) | ||||
| } | ||||
|  | ||||
| // fileFromDir is a helper to read files from bindata or custom path. | ||||
|   | ||||
		Reference in New Issue
	
	Block a user