Home Explore Help
Register Sign In
XCAppCollection
/
GCDWebServer
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Enforce hidden and extensions restrictions when moving and copying files in uploaders

Fixes #433
Pierre-Olivier Latour 6 years ago
parent
c9563db0a6
commit
02738433bf
2 changed files with 16 additions and 6 deletions
Split View Show Diff Stats
  1. 8 3
      GCDWebDAVServer/GCDWebDAVServer.m
  2. 8 3
      GCDWebUploader/GCDWebUploader.m

+ 8 - 3
GCDWebDAVServer/GCDWebDAVServer.m
View File 

@@ -358,9 +358,14 @@ static inline BOOL _IsMacFinder(GCDWebServerRequest* request) {
 
     return [GCDWebServerErrorResponse responseWithClientError:kGCDWebServerHTTPStatusCode_Conflict message:@"Invalid destination \"%@\"", dstRelativePath];
 
   }
 
 
-  NSString* itemName = [dstAbsolutePath lastPathComponent];
 
-  if ((!_allowHiddenItems && [itemName hasPrefix:@"."]) || (!isDirectory && ![self _checkFileExtension:itemName])) {
 
-    return [GCDWebServerErrorResponse responseWithClientError:kGCDWebServerHTTPStatusCode_Forbidden message:@"%@ to item name \"%@\" is not allowed", isMove ? @"Moving" : @"Copying", itemName];
 
+  NSString* srcName = [srcAbsolutePath lastPathComponent];
 
+  if ((!_allowHiddenItems && [srcName hasPrefix:@"."]) || (!isDirectory && ![self _checkFileExtension:srcName])) {
 
+    return [GCDWebServerErrorResponse responseWithClientError:kGCDWebServerHTTPStatusCode_Forbidden message:@"%@ from item name \"%@\" is not allowed", isMove ? @"Moving" : @"Copying", srcName];
 
+  }
 
+
 
+  NSString* dstName = [dstAbsolutePath lastPathComponent];
 
+  if ((!_allowHiddenItems && [dstName hasPrefix:@"."]) || (!isDirectory && ![self _checkFileExtension:dstName])) {
 
+    return [GCDWebServerErrorResponse responseWithClientError:kGCDWebServerHTTPStatusCode_Forbidden message:@"%@ to item name \"%@\" is not allowed", isMove ? @"Moving" : @"Copying", dstName];
 
   }
 
 
   NSString* overwriteHeader = [request.headers objectForKey:@"Overwrite"];

+ 8 - 3
GCDWebUploader/GCDWebUploader.m
View File 

@@ -325,12 +325,17 @@ NS_ASSUME_NONNULL_END
 
     return [GCDWebServerErrorResponse responseWithClientError:kGCDWebServerHTTPStatusCode_NotFound message:@"\"%@\" does not exist", oldRelativePath];
 
   }
 
 
+  NSString* oldItemName = [oldAbsolutePath lastPathComponent];
 
+  if ((!_allowHiddenItems && [oldItemName hasPrefix:@"."]) || (!isDirectory && ![self _checkFileExtension:oldItemName])) {
 
+    return [GCDWebServerErrorResponse responseWithClientError:kGCDWebServerHTTPStatusCode_Forbidden message:@"Moving from item name \"%@\" is not allowed", oldItemName];
 
+  }
 
+
 
   NSString* newRelativePath = [request.arguments objectForKey:@"newPath"];
 
   NSString* newAbsolutePath = [self _uniquePathForPath:[_uploadDirectory stringByAppendingPathComponent:GCDWebServerNormalizePath(newRelativePath)]];
 
 
-  NSString* itemName = [newAbsolutePath lastPathComponent];
 
-  if ((!_allowHiddenItems && [itemName hasPrefix:@"."]) || (!isDirectory && ![self _checkFileExtension:itemName])) {
 
-    return [GCDWebServerErrorResponse responseWithClientError:kGCDWebServerHTTPStatusCode_Forbidden message:@"Moving to item name \"%@\" is not allowed", itemName];
 
+  NSString* newItemName = [newAbsolutePath lastPathComponent];
 
+  if ((!_allowHiddenItems && [newItemName hasPrefix:@"."]) || (!isDirectory && ![self _checkFileExtension:newItemName])) {
 
+    return [GCDWebServerErrorResponse responseWithClientError:kGCDWebServerHTTPStatusCode_Forbidden message:@"Moving to item name \"%@\" is not allowed", newItemName];
 
   }
 
 
   if (![self shouldMoveItemFromPath:oldAbsolutePath toPath:newAbsolutePath]) {