ToxicMushroom/tokidoki
1
0
Fork 0
mirror of https://git.sr.ht/~sircmpwn/tokidoki synced 2025-12-12 06:07:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Make sure clients cannot overwrite address book

Browse source 
Tighten the regex for valid resources and change the name of the default
address book file so that it is not covered by that regex. This will
prohibit clients from accidentally or maliciously PUTing to that file.
This commit is contained in:
Conrad Hoffmann 2022-03-16 15:15:01 +01:00
parent f4a3598191
commit 5728f1ee27
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
storage/filesystem.go
View file

@ -24,7 +24,7 @@ type filesystemBackend struct {
var (
nilBackend carddav.Backend = (*filesystemBackend)(nil)
validFilenameRegex = regexp.MustCompile(`^/[A-Za-z0-9_-]+(.[a-zA-Z]+)?$`)
validFilenameRegex = regexp.MustCompile(`^/[A-Za-z0-9][A-Za-z0-9_-]+(.[a-zA-Z]+)?$`)
)
func NewFilesystem(path string) (carddav.Backend, error) {
@ -153,7 +153,7 @@ func (b *filesystemBackend) AddressBook(ctx context.Context) (*carddav.AddressBo
if err != nil {
return nil, err
}
path = filepath.Join(path, "default.json")
path = filepath.Join(path, "_default_ab.json")
data, err := ioutil.ReadFile(path)
if os.IsNotExist(err) {