From 5728f1ee2793fa97062642bfde54d2b9ed74eb3f Mon Sep 17 00:00:00 2001 From: Conrad Hoffmann Date: Wed, 16 Mar 2022 15:15:01 +0100 Subject: [PATCH] Make sure clients cannot overwrite address book Tighten the regex for valid resources and change the name of the default address book file so that it is not covered by that regex. This will prohibit clients from accidentally or maliciously PUTing to that file. --- storage/filesystem.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/storage/filesystem.go b/storage/filesystem.go index bb5f2be..481f2d1 100644 --- a/storage/filesystem.go +++ b/storage/filesystem.go @@ -24,7 +24,7 @@ type filesystemBackend struct { var ( nilBackend carddav.Backend = (*filesystemBackend)(nil) - validFilenameRegex = regexp.MustCompile(`^/[A-Za-z0-9_-]+(.[a-zA-Z]+)?$`) + validFilenameRegex = regexp.MustCompile(`^/[A-Za-z0-9][A-Za-z0-9_-]+(.[a-zA-Z]+)?$`) ) func NewFilesystem(path string) (carddav.Backend, error) { @@ -153,7 +153,7 @@ func (b *filesystemBackend) AddressBook(ctx context.Context) (*carddav.AddressBo if err != nil { return nil, err } - path = filepath.Join(path, "default.json") + path = filepath.Join(path, "_default_ab.json") data, err := ioutil.ReadFile(path) if os.IsNotExist(err) {