@@ -55,6 +55,7 @@ module Network.Gitit.Handlers ( where import Safe import Data.FileStore +import Data.FileStore.Utils (isInsideDir) import Network.Gitit.Server import Network.Gitit.Framework import Network.Gitit.Layout @@ -198,11 +199,17 @@ uploadFile = withData $ \(params :: Params) -> do if e == NotFound then return False else throwIO e >> return True + inStaticDir <- liftIO $ + (repositoryPath cfg </> wikiname) `isInsideDir` staticDir cfg + inTemplatesDir <- liftIO $ + (repositoryPath cfg </> wikiname) `isInsideDir` templatesDir cfg let imageExtensions = [".png", ".jpg", ".gif"] let errors = validate [ (null . filter (not . isSpace) $ logMsg, "Description cannot be empty.") , (null origPath, "File not found.") + , (inStaticDir, "Destination is inside static directory.") + , (inTemplatesDir, "Destination is inside templates directory.") , (not overwrite && exists, "A file named '" ++ wikiname ++ "' already exists in the repository: choose a new name " ++ "or check the box to overwrite the existing file.") Network/Gitit/Handlers.hs @@ -109,7 +109,7 @@ Executable gitit pandoc >= 1.2, process, filepath, directory, mtl, cgi, network, old-time, highlighting-kate, bytestring, utf8-string, SHA > 1, HTTP, HStringTemplate, random, - network >= 2.1.0.0, recaptcha >= 0.1, filestore >= 0.3.2, + network >= 2.1.0.0, recaptcha >= 0.1, filestore >= 0.3.3, datetime, zlib, url, happstack-server >= 0.3.3 && < 0.4, happstack-util >= 0.3.2 && < 0.4, xml >= 1.3.4, hslogger >= 1 && < 1.1, ConfigFile >= 1, feed >= 0.3.6, gitit.cabal b054ec6bd2008a75108d33f0dd06447f1f2ba5f8 John MacFarlane jgm@berkeley.edu http://github.com/jgm/gitit/commit/f6161477f5f2dd381c4e80b357eed933fca04c42 f6161477f5f2dd381c4e80b357eed933fca04c42 2009-11-06T19:24:25-08:00 2009-11-06T19:20:50-08:00 Check to make sure uploaded files don't go in static or templates dir. (Which is possible when these are inside repositoryDir...) Reason: We don't want users uploading new CSS, javascript, or templates that might break the site. Also require filestore >= 0.3.3. 8aef13d94ce284f507f26b747f959d84edbc656a John MacFarlane jgm@berkeley.edu