GitHub/gf-core
1
0
Fork 1
mirror of https://github.com/GrammaticalFramework/gf-core.git synced 2026-05-14 13:42:50 -06:00
Code Issues Packages Projects Releases Wiki Activity

gf -server: improved security checks

Browse Source 
+ More restrictive limits on which file paths can be downloaded and removed.
+ Add more extensions to the list of file types that may be removed. In
  particular, allow documents created by simple translation tool to be removed.
This commit is contained in:
hallgren
2012-09-21 09:00:48 +00:00
parent 6d24f74393
commit db39fdaa68
1 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/compiler/GFServer.hs
View File

@@ -1,6 +1,6 @@
{-# LANGUAGE CPP #-} {-# LANGUAGE CPP #-}
module GFServer(server) where module GFServer(server) where
import Data.List(partition,stripPrefix,tails) import Data.List(partition,stripPrefix,tails,isInfixOf)
import Data.Maybe(mapMaybe) import Data.Maybe(mapMaybe)
import qualified Data.Map as M import qualified Data.Map as M
import Control.Monad(when) import Control.Monad(when)
@@ -166,11 +166,24 @@ handle state0 cache execute1
"make" -> make dir (raw qs) "make" -> make dir (raw qs)
"upload" -> upload (raw qs) "upload" -> upload (raw qs)
"ls" -> jsonList (maybe ".json" fst $ lookup "ext" qs) "ls" -> jsonList (maybe ".json" fst $ lookup "ext" qs)
"rm" -> look "file" rm qs "rm" -> with_file qs rm
"download" -> look "file" download qs "download" -> with_file qs download
"link_directories" -> look "newdir" (link_directories dir) qs "link_directories" -> look "newdir" (link_directories dir) qs
_ -> return (state,resp400 $ "cloud command "++cmd) _ -> return (state,resp400 $ "cloud command "++cmd)
with_file qs f = look "file" check qs
where
check path qs =
if ok_access path
then f path qs
else return (state,resp400 $ "unacceptable path "++path)
ok_access path =
case path of
'/':_ -> False
'.':'.':'/':_ -> False
_ -> not ("/../" `isInfixOf` path)
make dir files = make dir files =
do (state,_) <- upload files do (state,_) <- upload files
let args = "-s":"-make":map fst files let args = "-s":"-make":map fst files
@@ -187,13 +200,15 @@ handle state0 cache execute1
do jsons <- ls_ext "." ext do jsons <- ls_ext "." ext
return (state,json200 jsons) return (state,json200 jsons)
rm path _ | takeExtension path==".json" = ok_to_delete = [".json",".gfstdoc",".gfo",".gf",".pgf"]
rm path _ | takeExtension path `elem` ok_to_delete =
do b <- doesFileExist path do b <- doesFileExist path
if b if b
then do removeFile path then do removeFile path
return (state,ok200 "") return (state,ok200 "")
else return (state,resp404 path) else return (state,resp404 path)
rm path _ = return (state,resp400 $ "unacceptable file "++path) rm path _ = return (state,resp400 $ "unacceptable extension "++path)
download path _ = (,) state `fmap` serveStaticFile path download path _ = (,) state `fmap` serveStaticFile path