MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-07 12:52:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

avoid busy loops in bad path component (#19466)

Browse Source 
use it in places where we are looking
for such bad path components.
This commit is contained in:
Harshavardhana
2024-04-10 18:08:52 -07:00
committed by GitHub
parent 35d8728990
commit 9b926f7dbe
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/admin-handlers.go
View File

@@ -36,6 +36,7 @@ import (
"net/url"
"os"
"path"
"path/filepath"
"regexp"
"runtime"
"sort"
@@ -3172,11 +3173,11 @@ func (a adminAPIHandlers) InspectDataHandler(w http.ResponseWriter, r *http.Requ
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrInvalidRequest), r.URL)
return
}
file = strings.ReplaceAll(file, string(os.PathSeparator), "/")
file = filepath.ToSlash(file)
// Reject attempts to traverse parent or absolute paths.
if strings.Contains(file, "..") || strings.Contains(volume, "..") {
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
if hasBadPathComponent(volume) || hasBadPathComponent(file) {
writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrInvalidResourceName), r.URL)
return
}