mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
do not allow filesystem fallback in server download (#15429)
It is possible for anyone with admin access to relatively to get any content of any random OS location by simply providing the file with 'mc admin update alias/ /etc/passwd`. Workaround is to disable 'admin:ServiceUpdate' action. Everyone is advised to upgrade to this patch. Thanks to @alevsk for finding this bug.
This commit is contained in:
parent
5e0776e96a
commit
bc72e4226e
@ -291,8 +291,6 @@ func getUserAgent(mode string) string {
|
||||
}
|
||||
|
||||
func downloadReleaseURL(u *url.URL, timeout time.Duration, mode string) (content string, err error) {
|
||||
var reader io.ReadCloser
|
||||
if u.Scheme == "https" || u.Scheme == "http" {
|
||||
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
|
||||
if err != nil {
|
||||
return content, AdminError{
|
||||
@ -326,7 +324,6 @@ func downloadReleaseURL(u *url.URL, timeout time.Duration, mode string) (content
|
||||
StatusCode: http.StatusInternalServerError,
|
||||
}
|
||||
}
|
||||
reader = resp.Body
|
||||
defer xhttp.DrainBody(resp.Body)
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
@ -336,18 +333,8 @@ func downloadReleaseURL(u *url.URL, timeout time.Duration, mode string) (content
|
||||
StatusCode: resp.StatusCode,
|
||||
}
|
||||
}
|
||||
} else {
|
||||
reader, err = os.Open(u.Path)
|
||||
if err != nil {
|
||||
return content, AdminError{
|
||||
Code: AdminUpdateURLNotReachable,
|
||||
Message: err.Error(),
|
||||
StatusCode: http.StatusServiceUnavailable,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
contentBytes, err := ioutil.ReadAll(reader)
|
||||
contentBytes, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return content, AdminError{
|
||||
Code: AdminUpdateUnexpectedFailure,
|
||||
|
Loading…
Reference in New Issue
Block a user