do not allow filesystem fallback in server download (#15429)

It is possible for anyone with admin access to relatively
to get any content of any random OS location by simply
providing the file with 'mc admin update alias/ /etc/passwd`.

Workaround is to disable 'admin:ServiceUpdate' action. Everyone
is advised to upgrade to this patch.

Thanks to @alevsk for finding this bug.
This commit is contained in:
Harshavardhana 2022-07-28 17:44:21 -07:00 committed by GitHub
parent 5e0776e96a
commit bc72e4226e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -291,8 +291,6 @@ func getUserAgent(mode string) string {
}
func downloadReleaseURL(u *url.URL, timeout time.Duration, mode string) (content string, err error) {
var reader io.ReadCloser
if u.Scheme == "https" || u.Scheme == "http" {
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
if err != nil {
return content, AdminError{
@ -326,7 +324,6 @@ func downloadReleaseURL(u *url.URL, timeout time.Duration, mode string) (content
StatusCode: http.StatusInternalServerError,
}
}
reader = resp.Body
defer xhttp.DrainBody(resp.Body)
if resp.StatusCode != http.StatusOK {
@ -336,18 +333,8 @@ func downloadReleaseURL(u *url.URL, timeout time.Duration, mode string) (content
StatusCode: resp.StatusCode,
}
}
} else {
reader, err = os.Open(u.Path)
if err != nil {
return content, AdminError{
Code: AdminUpdateURLNotReachable,
Message: err.Error(),
StatusCode: http.StatusServiceUnavailable,
}
}
}
contentBytes, err := ioutil.ReadAll(reader)
contentBytes, err := ioutil.ReadAll(resp.Body)
if err != nil {
return content, AdminError{
Code: AdminUpdateUnexpectedFailure,