1
Fork 0
mirror of https://github.com/jech/galene.git synced 2024-11-22 16:45:58 +01:00

Early paranoia in group name validation.

We will fail malicious paths in openDescriptionFile, but it
doesn't harm to be paranoid early.
This commit is contained in:
Juliusz Chroboczek 2021-08-24 00:31:46 +02:00
parent 0d0a745aa3
commit 5beb13b21a
2 changed files with 44 additions and 1 deletions

View file

@ -373,8 +373,22 @@ func Add(name string, desc *Description) (*Group, error) {
return g, err return g, err
} }
func validGroupName(name string) bool {
if filepath.Separator != '/' &&
strings.ContainsRune(name, filepath.Separator) {
return false
}
s := path.Clean("/" + name)
if s == "/" {
return false
}
return s == "/"+name
}
func add(name string, desc *Description) (*Group, []Client, error) { func add(name string, desc *Description) (*Group, []Client, error) {
if name == "" || strings.HasSuffix(name, "/") { if !validGroupName(name) {
return nil, nil, UserError("illegal group name") return nil, nil, UserError("illegal group name")
} }

View file

@ -245,3 +245,32 @@ func TestFmtpValue(t *testing.T) {
} }
} }
} }
func TestValidGroupName(t *testing.T) {
type nameTest struct {
name string
result bool
}
tests := []nameTest{
{"", false},
{"/", false},
{"/foo", false},
{"foo/", false},
{"./foo", false},
{"foo/.", false},
{"../foo", false},
{"foo/..", false},
{"foo/./bar", false},
{"foo/../bar", false},
{"foo", true},
{"foo/bar", true},
}
for _, test := range tests {
r := validGroupName(test.name)
if r != test.result {
t.Errorf("Valid %v: got %v, expected %v",
test.name, r, test.result)
}
}
}