melon/tokidoki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure clients cannot overwrite address book

Browse Source 
Tighten the regex for valid resources and change the name of the default
address book file so that it is not covered by that regex. This will
prohibit clients from accidentally or maliciously PUTing to that file.
This commit is contained in:
Conrad Hoffmann 2022-03-16 15:15:01 +01:00
parent f4a3598191
commit 5728f1ee27
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
storage/filesystem.go
View File

@ -24,7 +24,7 @@ type filesystemBackend struct {
var ( var (
nilBackend carddav.Backend = (*filesystemBackend)(nil) nilBackend carddav.Backend = (*filesystemBackend)(nil)
validFilenameRegex = regexp.MustCompile(`^/[A-Za-z0-9_-]+(.[a-zA-Z]+)?$`) validFilenameRegex = regexp.MustCompile(`^/[A-Za-z0-9][A-Za-z0-9_-]+(.[a-zA-Z]+)?$`)
) )
func NewFilesystem(path string) (carddav.Backend, error) { func NewFilesystem(path string) (carddav.Backend, error) {
@ -153,7 +153,7 @@ func (b *filesystemBackend) AddressBook(ctx context.Context) (*carddav.AddressBo
if err != nil { if err != nil {
return nil, err return nil, err
} }
path = filepath.Join(path, "default.json") path = filepath.Join(path, "_default_ab.json")
data, err := ioutil.ReadFile(path) data, err := ioutil.ReadFile(path)
if os.IsNotExist(err) { if os.IsNotExist(err) {