feat: AssetController shall denies access to files in folder that has a .DENIED file
All checks were successful
gitea-sync/silk/pipeline/head This commit looks good

This commit is contained in:
DanyLE 2024-03-17 19:02:14 +01:00
parent 14e20cf41e
commit 824769dee2
2 changed files with 14 additions and 3 deletions

View File

@ -1,5 +1,5 @@
# initialise autoconf and set up some basic information about the program were packaging # initialise autoconf and set up some basic information about the program were packaging
AC_INIT([silk], [0.1.1], [xsang.le@gmail.com]) AC_INIT([silk], [0.2.0], [xsang.le@gmail.com])
# Were going to use automake for this project # Were going to use automake for this project
# [subdir-objects] if needed # [subdir-objects] if needed

View File

@ -93,8 +93,19 @@ function AssetController:index(...)
end end
function AssetController:get(...) function AssetController:get(...)
local path = WWW_ROOT..DIR_SEP..implode({...}, DIR_SEP) -- check for access in all parent DIR
local DENIEDF = ".DENIED"
local curr_dir = WWW_ROOT
local args = {...}
for i, v in ipairs(explode(args[1], "/")) do
LOG_DEBUG("Checking acess for %s", curr_dir)
if ulib.exists(curr_dir..DIR_SEP..DENIEDF) then
self:error("Access forbidden: "..curr_dir)
return false
end
curr_dir = curr_dir..DIR_SEP..v
end
local path = WWW_ROOT..DIR_SEP..implode(args, DIR_SEP)
if self.registry.fileaccess and ulib.exists(path) then if self.registry.fileaccess and ulib.exists(path) then
local mime = std.mimeOf(path) local mime = std.mimeOf(path)
if POLICY.mimes[mime] then if POLICY.mimes[mime] then