Permalink
Browse files

Now disallowing access to files/folders outside the provided config

  • Loading branch information...
1 parent aa88e87 commit 406a77f8ee7e84890df1ef71285a69bab7cb200a @himanshuseth himanshuseth committed Feb 25, 2012
View
4 grails-app/controllers/org/grails/plugins/fileviewer/FileController.groovy
@@ -13,7 +13,7 @@ class FileController {
Map model = [locations: fileLocations.locations]
if (params.filePath) {
File file = new File(params.filePath)
- if (file.exists()) {
+ if (fileLocations.isValidPath(params.filePath) && file.exists()) {
if (file.isFile()) {
List locations = getSubFiles(file.parentFile)
String fileContents = getFileContents(file)
@@ -26,6 +26,8 @@ class FileController {
model['prevLocation'] = file.getParentFile()?.absolutePath
}
model['showBackLink'] = true
+ } else {
+ model.errorMessage = message(code: 'default.path.invalid.message')
}
}
render(view: "/file/fileList", model: model, plugin: 'fileViewer')
View
3 grails-app/i18n/message.properties
@@ -1,4 +1,5 @@
default.link.back.label=Back
default.page.title.label=File List
default.page.body.detail=Please click on the links below to view detailed reports:
-default.link.download.label=Download complete file
+default.link.download.label=Download complete file
+default.path.invalid.message=Path provide was either not found or was outside the config scope
View
4 grails-app/views/file/fileList.gsp
@@ -5,18 +5,20 @@
<title><g:message code="default.page.title.label" default="File List" /></title>
<style type="text/css">
* {margin: 0;padding: 0;}
- body {font-size: 100.01%;font-family: Arial, sans-serif;color: #333;background: #f8f8f8;padding: 2em;}
+ body {font-size: 100.01%;font-family: Arial, sans-serif;color: #333;background: #f8f8f8;padding: 10px;}
h1 {color: #363;font-size: 1.2em;margin: .5em 0;}
p, pre, li {margin: 0 0 .5em 0;list-style: square;}
ul {margin: 1em;}
pre {background: #eee;border: 1px solid #999;padding: .5em;margin: .5em;font-size: .9em;}
a {color: #369;font-size: .8em;}
+ div.error{background: #ff0000;margin: 10px;}
</style>
</head>
<body>
<br/><strong>
<g:message code="default.page.body.detail" default="Please click on the links below to view detailed reports:" />
</strong><br/><br/>
+<g:if test="${errorMessage}"><div class="error">${errorMessage}</div></g:if>
<g:if test="${showBackLink}">
<div id="backLink">
<a class="showReportLink" href="${createLink(action: 'index', params: [filePath: prevLocation])}">
View
13 src/groovy/org/grails/plugins/fileviewer/FileLocations.groovy
@@ -6,6 +6,17 @@ package org.grails.plugins.fileviewer
*/
class FileLocations {
- List<String> locations
+ List<String> locations
Integer linesCount
+ Boolean areDoubleDotsAllowedInFilePath = false
+
+ boolean isValidPath(String filePath) {
+ boolean isValid = this.locations.any {filePath.startsWith(it)}
+ if(isValid && !areDoubleDotsAllowedInFilePath) {
+ isValid = !filePath.contains("..")
+ }
+ isValid
+ }
+
+
}

0 comments on commit 406a77f

Please sign in to comment.