Skip to content

Loading…

Implement handler_file to forbid symlinks. #1099

Merged
merged 2 commits into from

1 participant

@skinkie
Cherokee Project member

As of request I have modelled the way handler_common works as requested
in issue #927. Thus, if symlinks is disabled, requesting the file produces
a 404. This requires an extra lstat per request.

Fix #927

@skinkie skinkie Implement handler_file to forbid symlinks.
As of request I have modelled the way handler_common works as requested
in issue #927. Thus, if symlinks is disabled, requesting the file produces
a 404. This requires an extra lstat per request.

Fix #927
acad677
@skinkie skinkie merged commit c1423a9 into master
@skinkie skinkie deleted the nosymlink_927 branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 9, 2014
  1. @skinkie

    Implement handler_file to forbid symlinks.

    skinkie committed
    As of request I have modelled the way handler_common works as requested
    in issue #927. Thus, if symlinks is disabled, requesting the file produces
    a 404. This requires an extra lstat per request.
    
    Fix #927
Commits on Jan 10, 2014
  1. @skinkie
Showing with 34 additions and 3 deletions.
  1. +2 −2 admin/plugins/common.py
  2. +4 −1 admin/plugins/dirlist.py
  3. +4 −0 admin/plugins/file.py
  4. +23 −0 cherokee/handler_file.c
  5. +1 −0 cherokee/handler_file.h
View
4 admin/plugins/common.py
@@ -47,7 +47,7 @@ def __init__ (self, key, **kwargs):
self += CTK.RawHTML ('<h2>%s</h2>' %(_('Parsing')))
self += CTK.Indenter (submit)
- self += instance_plugin('file', key, show_document_root=False)
- self += instance_plugin('dirlist', key, show_document_root=False)
+ self += instance_plugin('file', key, show_document_root=False, symlinks=False)
+ self += instance_plugin('dirlist', key, show_document_root=False, symlinks=True)
CTK.publish ('^%s'%(URL_APPLY), CTK.cfg_apply_post, method="POST")
View
5 admin/plugins/dirlist.py
@@ -44,6 +44,8 @@ def __init__ (self, key, **kwargs):
Handler.PluginHandler.__init__ (self, key, **kwargs)
Handler.PluginHandler.AddCommon (self)
+ symlinks = kwargs.pop('symlinks', True)
+
# Listing
table = CTK.PropsTable()
table.Add (_('Show Size'), CTK.CheckCfgText("%s!size"%(self.key), True, _('Show')), '')
@@ -52,7 +54,8 @@ def __init__ (self, key, **kwargs):
table.Add (_('Show Group'), CTK.CheckCfgText("%s!group"%(self.key), False, _('Show')), '')
table.Add (_('Show Backup files'), CTK.CheckCfgText("%s!backup"%(self.key), False, _('Show')), '')
table.Add (_('Show Hidden files'), CTK.CheckCfgText("%s!hidden"%(self.key), False, _('Show')), '')
- table.Add (_('Allow symbolic links'), CTK.CheckCfgText("%s!symlinks"%(self.key), True, _('Allow')), '')
+ if symlinks:
+ table.Add (_('Allow symbolic links'), CTK.CheckCfgText("%s!symlinks"%(self.key), True, _('Allow')), '')
table.Add (_('Redirect symbolic links'), CTK.CheckCfgText("%s!redir_symlinks"%(self.key), False, _('Enabled')), '')
submit = CTK.Submitter (URL_APPLY)
View
4 admin/plugins/file.py
@@ -36,8 +36,12 @@ def __init__ (self, key, **kwargs):
Handler.PluginHandler.__init__ (self, key, **kwargs)
Handler.PluginHandler.AddCommon (self)
+ symlinks = kwargs.pop('symlinks', True)
+
table = CTK.PropsTable()
table.Add (_("Use I/O cache"), CTK.CheckCfgText("%s!iocache"%(self.key), True, _('Enabled')), _(NOTE_IO_CACHE))
+ if symlinks:
+ table.Add (_('Allow symbolic links'), CTK.CheckCfgText("%s!symlinks"%(self.key), True, _('Allow')), '')
submit = CTK.Submitter (URL_APPLY)
submit += table
View
23 cherokee/handler_file.c
@@ -80,6 +80,7 @@ cherokee_handler_file_configure (cherokee_config_node_t *conf,
MODULE_PROPS_FREE(cherokee_handler_file_props_free));
n->use_cache = true;
+ n->send_symlinks = true;
*_props = MODULE_PROPS(n);
}
@@ -91,6 +92,9 @@ cherokee_handler_file_configure (cherokee_config_node_t *conf,
if (equal_buf_str (&subconf->key, "iocache")) {
ret = cherokee_atob (subconf->val.buf, &props->use_cache);
if (ret != ret_ok) return ret;
+ } else if (equal_buf_str (&subconf->key, "symlinks")) {
+ ret = cherokee_atob (subconf->val.buf, &props->send_symlinks);
+ if (ret != ret_ok) return ret;
}
}
@@ -453,6 +457,25 @@ cherokee_handler_file_custom_init (cherokee_handler_file_t *fhdl,
goto out;
}
+ /* Are we allowed to send symlinks?
+ */
+ if (!HDL_FILE_PROP(fhdl)->send_symlinks) {
+ struct stat stat;
+ int re;
+
+ re = cherokee_lstat (local_file->buf, &stat);
+ if (re < 0) {
+ ret = ret_error;
+ goto out;
+ }
+
+ if (S_ISLNK(stat.st_mode)) {
+ conn->error_code = http_not_found;
+ ret = ret_error;
+ goto out;
+ }
+ }
+
/* Look for the mime type
*/
if (srv->mime != NULL) {
View
1 cherokee/handler_file.h
@@ -43,6 +43,7 @@
typedef struct {
cherokee_handler_props_t base;
cherokee_boolean_t use_cache;
+ cherokee_boolean_t send_symlinks;
} cherokee_handler_file_props_t;
Something went wrong with that request. Please try again.