mirror of
https://github.com/jech/galene.git
synced 2024-11-22 08:35:57 +01:00
Early paranoia in group name validation.
We will fail malicious paths in openDescriptionFile, but it doesn't harm to be paranoid early.
This commit is contained in:
parent
0d0a745aa3
commit
5beb13b21a
2 changed files with 44 additions and 1 deletions
|
@ -373,8 +373,22 @@ func Add(name string, desc *Description) (*Group, error) {
|
|||
return g, err
|
||||
}
|
||||
|
||||
func validGroupName(name string) bool {
|
||||
if filepath.Separator != '/' &&
|
||||
strings.ContainsRune(name, filepath.Separator) {
|
||||
return false
|
||||
}
|
||||
|
||||
s := path.Clean("/" + name)
|
||||
if s == "/" {
|
||||
return false
|
||||
}
|
||||
|
||||
return s == "/"+name
|
||||
}
|
||||
|
||||
func add(name string, desc *Description) (*Group, []Client, error) {
|
||||
if name == "" || strings.HasSuffix(name, "/") {
|
||||
if !validGroupName(name) {
|
||||
return nil, nil, UserError("illegal group name")
|
||||
}
|
||||
|
||||
|
|
|
@ -245,3 +245,32 @@ func TestFmtpValue(t *testing.T) {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestValidGroupName(t *testing.T) {
|
||||
type nameTest struct {
|
||||
name string
|
||||
result bool
|
||||
}
|
||||
tests := []nameTest{
|
||||
{"", false},
|
||||
{"/", false},
|
||||
{"/foo", false},
|
||||
{"foo/", false},
|
||||
{"./foo", false},
|
||||
{"foo/.", false},
|
||||
{"../foo", false},
|
||||
{"foo/..", false},
|
||||
{"foo/./bar", false},
|
||||
{"foo/../bar", false},
|
||||
{"foo", true},
|
||||
{"foo/bar", true},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
r := validGroupName(test.name)
|
||||
if r != test.result {
|
||||
t.Errorf("Valid %v: got %v, expected %v",
|
||||
test.name, r, test.result)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue