Skip to content

Commit

Permalink
Merge pull request from GHSA-h5gf-cmm8-cg7c
Browse files Browse the repository at this point in the history
  • Loading branch information
@LinkLeong
LinkLeong committed Feb 4, 2024
1 parent 4d2b65e commit 3f4558e
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions route/v1/user.go
View file
Expand Up @@ -13,6 +13,7 @@ import (
"os"
"path"
"path/filepath"
"regexp"
"strconv"
"strings"
"time"
Expand Down Expand Up @@ -667,6 +668,16 @@ func GetUserImage(c *gin.Context) {
return
}

matched, err := regexp.MatchString(`^/var/lib/casaos/\d`, filePath)
if err != nil {
c.JSON(http.StatusNotFound, model.Result{Success: common_err.INSUFFICIENT_PERMISSIONS, Message: common_err.GetMsg(common_err.INSUFFICIENT_PERMISSIONS)})
return
}
if !matched {
c.JSON(http.StatusNotFound, model.Result{Success: common_err.INSUFFICIENT_PERMISSIONS, Message: common_err.GetMsg(common_err.INSUFFICIENT_PERMISSIONS)})
return
}

fileTmp, _ := os.Open(filePath)
defer fileTmp.Close()

Expand Down

0 comments on commit 3f4558e

Please sign in to comment.