Navy.gif/owncast
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(api): protect emoji delete api from path traversal exploit

Browse Source
This commit is contained in:
Gabe Kangas 2024-01-20 19:48:52 -08:00
parent 225dc98736
commit 1b14800c7d
No known key found for this signature in database
GPG Key ID: 4345B2060657F330
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
controllers/admin/emoji.go
View File

@ -76,9 +76,13 @@ func DeleteCustomEmoji(w http.ResponseWriter, r *http.Request) {
return return
} }
// var emojiFileName = filepath.Base(emoji.Name)
targetPath := filepath.Join(config.CustomEmojiPath, emoji.Name) targetPath := filepath.Join(config.CustomEmojiPath, emoji.Name)
if !filepath.IsLocal(targetPath) {
controllers.WriteSimpleResponse(w, false, "Emoji path is not valid")
return
}
if err := os.Remove(targetPath); err != nil { if err := os.Remove(targetPath); err != nil {
if os.IsNotExist(err) { if os.IsNotExist(err) {
controllers.WriteSimpleResponse(w, false, fmt.Sprintf("Emoji %q doesn't exist", emoji.Name)) controllers.WriteSimpleResponse(w, false, fmt.Sprintf("Emoji %q doesn't exist", emoji.Name))