Skip to content

Commit

Permalink
fix: security issue in command runner (closes filebrowser#1621)
Browse files Browse the repository at this point in the history
  • Loading branch information
@o1egl
o1egl authored and Rahul committed Sep 2, 2022
1 parent b212254 commit 6eb28eb
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions http/commands.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,19 +59,19 @@ var commandsHandler = withUser(func(w http.ResponseWriter, r *http.Request, d *d
}
}

if !d.server.EnableExec || !d.user.CanExecute(strings.Split(raw, " ")[0]) {
if err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed); err != nil { //nolint:govet
command, err := runner.ParseCommand(d.settings, raw)
if err != nil {
if err := conn.WriteMessage(websocket.TextMessage, []byte(err.Error())); err != nil { //nolint:govet
wsErr(conn, r, http.StatusInternalServerError, err)
}

return 0, nil
}

command, err := runner.ParseCommand(d.settings, raw)
if err != nil {
if err := conn.WriteMessage(websocket.TextMessage, []byte(err.Error())); err != nil { //nolint:govet
if !d.server.EnableExec || !d.user.CanExecute(command[0]) {
if err := conn.WriteMessage(websocket.TextMessage, cmdNotAllowed); err != nil { //nolint:govet
wsErr(conn, r, http.StatusInternalServerError, err)
}

return 0, nil
}

Expand Down

0 comments on commit 6eb28eb

Please sign in to comment.