mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
do not allow filesystem fallback in server download (#15429)
It is possible for anyone with admin access to relatively to get any content of any random OS location by simply providing the file with 'mc admin update alias/ /etc/passwd`. Workaround is to disable 'admin:ServiceUpdate' action. Everyone is advised to upgrade to this patch. Thanks to @alevsk for finding this bug.
This commit is contained in:
parent
5e0776e96a
commit
bc72e4226e
@ -291,63 +291,50 @@ func getUserAgent(mode string) string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func downloadReleaseURL(u *url.URL, timeout time.Duration, mode string) (content string, err error) {
|
func downloadReleaseURL(u *url.URL, timeout time.Duration, mode string) (content string, err error) {
|
||||||
var reader io.ReadCloser
|
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
|
||||||
if u.Scheme == "https" || u.Scheme == "http" {
|
if err != nil {
|
||||||
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
|
return content, AdminError{
|
||||||
if err != nil {
|
Code: AdminUpdateUnexpectedFailure,
|
||||||
return content, AdminError{
|
Message: err.Error(),
|
||||||
Code: AdminUpdateUnexpectedFailure,
|
StatusCode: http.StatusInternalServerError,
|
||||||
Message: err.Error(),
|
|
||||||
StatusCode: http.StatusInternalServerError,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
req.Header.Set("User-Agent", getUserAgent(mode))
|
}
|
||||||
|
req.Header.Set("User-Agent", getUserAgent(mode))
|
||||||
|
|
||||||
client := &http.Client{Transport: getUpdateTransport(timeout)}
|
client := &http.Client{Transport: getUpdateTransport(timeout)}
|
||||||
resp, err := client.Do(req)
|
resp, err := client.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if xnet.IsNetworkOrHostDown(err, false) {
|
if xnet.IsNetworkOrHostDown(err, false) {
|
||||||
return content, AdminError{
|
|
||||||
Code: AdminUpdateURLNotReachable,
|
|
||||||
Message: err.Error(),
|
|
||||||
StatusCode: http.StatusServiceUnavailable,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return content, AdminError{
|
|
||||||
Code: AdminUpdateUnexpectedFailure,
|
|
||||||
Message: err.Error(),
|
|
||||||
StatusCode: http.StatusInternalServerError,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if resp == nil {
|
|
||||||
return content, AdminError{
|
|
||||||
Code: AdminUpdateUnexpectedFailure,
|
|
||||||
Message: fmt.Sprintf("No response from server to download URL %s", u),
|
|
||||||
StatusCode: http.StatusInternalServerError,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
reader = resp.Body
|
|
||||||
defer xhttp.DrainBody(resp.Body)
|
|
||||||
|
|
||||||
if resp.StatusCode != http.StatusOK {
|
|
||||||
return content, AdminError{
|
|
||||||
Code: AdminUpdateUnexpectedFailure,
|
|
||||||
Message: fmt.Sprintf("Error downloading URL %s. Response: %v", u, resp.Status),
|
|
||||||
StatusCode: resp.StatusCode,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
reader, err = os.Open(u.Path)
|
|
||||||
if err != nil {
|
|
||||||
return content, AdminError{
|
return content, AdminError{
|
||||||
Code: AdminUpdateURLNotReachable,
|
Code: AdminUpdateURLNotReachable,
|
||||||
Message: err.Error(),
|
Message: err.Error(),
|
||||||
StatusCode: http.StatusServiceUnavailable,
|
StatusCode: http.StatusServiceUnavailable,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
return content, AdminError{
|
||||||
|
Code: AdminUpdateUnexpectedFailure,
|
||||||
|
Message: err.Error(),
|
||||||
|
StatusCode: http.StatusInternalServerError,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if resp == nil {
|
||||||
|
return content, AdminError{
|
||||||
|
Code: AdminUpdateUnexpectedFailure,
|
||||||
|
Message: fmt.Sprintf("No response from server to download URL %s", u),
|
||||||
|
StatusCode: http.StatusInternalServerError,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
defer xhttp.DrainBody(resp.Body)
|
||||||
|
|
||||||
|
if resp.StatusCode != http.StatusOK {
|
||||||
|
return content, AdminError{
|
||||||
|
Code: AdminUpdateUnexpectedFailure,
|
||||||
|
Message: fmt.Sprintf("Error downloading URL %s. Response: %v", u, resp.Status),
|
||||||
|
StatusCode: resp.StatusCode,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
contentBytes, err := ioutil.ReadAll(reader)
|
contentBytes, err := ioutil.ReadAll(resp.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return content, AdminError{
|
return content, AdminError{
|
||||||
Code: AdminUpdateUnexpectedFailure,
|
Code: AdminUpdateUnexpectedFailure,
|
||||||
|
Loading…
Reference in New Issue
Block a user