mirror/crowbook
1
0
Fork 0
mirror of https://github.com/lise-henry/crowbook synced 2024-09-30 00:43:44 +02:00
Code Issues

Make Zipper check that a path is in temporary dir before writing the file

Browse Source
This commit is contained in:
Elisabeth Henry 2016-03-05 15:35:41 +01:00
parent f382c92ed9
commit 3e818d1a2e
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/lib/zipper.rs
View File

@ -53,8 +53,13 @@ impl Zipper {
/// writes a content to a temporary file
pub fn write(&mut self, file: &str, content: &[u8], add_args: bool) -> Result<()> {
let dest_file = self.path.join(file);
let dest_dir = dest_file.parent().expect("This file should have a parent, it has just been joined to a directory!");
let path = Path::new(file);
if path.starts_with("..") || path.is_absolute() {
return Err(Error::Zipper(format!("file {} refers to an absolute or a parent path.
This is forbidden because we are supposed to create a temporary file in a temporary dir.", file)));
}
let dest_file = self.path.join(path);
let dest_dir = dest_file.parent().unwrap();
if !fs::metadata(dest_dir).is_ok() { // dir does not exist, create it
try!(DirBuilder::new()
.recursive(true)