feat: AssetController shall denies access to files in folder that has a .DENIED file

2024-11-14 01:08:22 +01:00 · 2024-03-17 19:02:14 +01:00 · 2024-03-17 19:02:14 +01:00 · 824769dee2
commit 824769dee2
parent 14e20cf41e
2 changed files with 14 additions and 3 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1,5 +1,5 @@
 # initialise autoconf and set up some basic information about the program we’re packaging
-AC_INIT([silk], [0.1.1], [xsang.le@gmail.com])
+AC_INIT([silk], [0.2.0], [xsang.le@gmail.com])

 # We’re going to use automake for this project
 # [subdir-objects] if needed
--- a/silkmvc/BaseController.lua
+++ b/silkmvc/BaseController.lua
@ -93,8 +93,19 @@ function AssetController:index(...)
 end

 function AssetController:get(...)
-    local path = WWW_ROOT..DIR_SEP..implode({...}, DIR_SEP)
-
+    -- check for access in all parent DIR
+    local DENIEDF = ".DENIED"
+    local curr_dir = WWW_ROOT
+    local args = {...}
+    for i, v in ipairs(explode(args[1], "/")) do
+        LOG_DEBUG("Checking acess for %s", curr_dir)
+        if ulib.exists(curr_dir..DIR_SEP..DENIEDF) then
+            self:error("Access forbidden: "..curr_dir)
+            return false
+        end
+        curr_dir = curr_dir..DIR_SEP..v
+    end
+    local path = WWW_ROOT..DIR_SEP..implode(args, DIR_SEP)
    if self.registry.fileaccess and ulib.exists(path) then
        local mime = std.mimeOf(path)
        if POLICY.mimes[mime] then