mygit

[UNMAINTAINED] A cgit/webgit alternative, written in Rust
Log | Files | Refs | README | LICENSE

commit 4804f67de12e2e3471c648c426e5a311aadce6f8
parent 0b845cad3d6e76678e93f86707b700efe46fcbec
Author: alex wennerberg <alex@alexwennerberg.com>
Date:   Sun, 18 Jul 2021 21:57:39 -0700

Canonicalize paths

Diffstat:
Msrc/main.rs | 4++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main.rs b/src/main.rs @@ -175,7 +175,7 @@ fn repo_from_request(repo_name: &str) -> Result<Repository, tide::Error> { .decode_utf8_lossy() .into_owned(); - let repo_path = Path::new(&CONFIG.projectroot).join(repo_name); + let repo_path = Path::new(&CONFIG.projectroot).join(repo_name).canonicalize()?; // prevent path traversal if !repo_path.starts_with(&CONFIG.projectroot) { @@ -730,7 +730,7 @@ async fn git_data(req: Request<()>) -> tide::Result { .path() .strip_prefix(&format!("/{}/", req.param("repo_name").unwrap())) .unwrap_or_default(); - let path = repo.path().join(path); + let path = repo.path().join(path).canonicalize()?; if !path.starts_with(repo.path()) { // that path got us outside of the repository structure somehow