Mercurial > prosody-hg
comparison plugins/mod_http_file_share.lua @ 11313:e53894d26092
mod_http_file_share: Validate that filename does not contain '/'
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 26 Jan 2021 14:52:37 +0100 |
| parents | aade4a6179a3 |
| children | 7c8b02c5a335 |
comparison
equal
deleted
inserted
replaced
| 11312:aade4a6179a3 | 11313:e53894d26092 |
|---|---|
| 34 module:depends("http"); | 34 module:depends("http"); |
| 35 end | 35 end |
| 36 | 36 |
| 37 local upload_errors = errors.init(module.name, namespace, { | 37 local upload_errors = errors.init(module.name, namespace, { |
| 38 access = { "auth"; "forbidden" }; | 38 access = { "auth"; "forbidden" }; |
| 39 filename = { "modify"; "bad-request", "Invalid filename" }; | |
| 39 }); | 40 }); |
| 40 | 41 |
| 41 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error | 42 function may_upload(uploader, filename, filesize, filetype) -- > boolean, error |
| 42 local uploader_host = jid.host(uploader); | 43 local uploader_host = jid.host(uploader); |
| 43 if not ((access:empty() and prosody.hosts[uploader_host]) or access:contains(uploader) or access:contains(uploader_host)) then | 44 if not ((access:empty() and prosody.hosts[uploader_host]) or access:contains(uploader) or access:contains(uploader_host)) then |
| 44 return false, upload_errors.new("access"); | 45 return false, upload_errors.new("access"); |
| 46 end | |
| 47 | |
| 48 if not filename or filename:find"/" then | |
| 49 -- On Linux, only '/' and '\0' are invalid in filenames and NUL can't be in XML | |
| 50 return false, upload_errors.new("filename"); | |
| 45 end | 51 end |
| 46 | 52 |
| 47 return true; | 53 return true; |
| 48 end | 54 end |
| 49 | 55 |
