b7e0b5f7674dfa7600149aab93d79bed3c3b926a chmalee Mon Jan 13 17:40:22 2025 -0800 When prefixing a file specified by the hubspace ui with the userDataDir, run realpath(3) on the file name to prevent looking up system files, refs #35018 diff --git src/hg/hgHubConnect/trackHubWizard.c src/hg/hgHubConnect/trackHubWizard.c index 84a1842..5f01e15 100644 --- src/hg/hgHubConnect/trackHubWizard.c +++ src/hg/hgHubConnect/trackHubWizard.c @@ -15,43 +15,52 @@ #include "web.h" #include "wikiLink.h" #include "customTrack.h" #include "userdata.h" #include "jsonWrite.h" #include "cartJson.h" #include "hubSpace.h" #include "hubSpaceKeys.h" #include "hubConnect.h" #include "trackHub.h" #include "htmshell.h" void removeOneFile(char *userName, char *cgiFileName, char *fullPath, char *db, char *fileType) /* Remove one single file for userName */ { +// prefixUserFile returns a canonicalized path, or NULL if the +// canonicalized path does not begin with the hg.conf specified userDataDir +// TODO: make the debug information from stderr go to stdout so the user +// can know there is a mistake somewhere, and only print the debug +// information in the event that the filename actually begins with the +// userDataDir so we don't tell hackers what files do and do not exist char *fileName = prefixUserFile(userName, fullPath, NULL); +if (fileName) + { if (fileExists(fileName)) { fprintf(stderr, "deleting file: '%s'\n", fileName); removeFileForUser(fileName, userName); fflush(stderr); } else { fprintf(stderr, "file '%s' does not exist\n", fileName); fflush(stderr); } } +} void removeHubDir(char *userName, char *cgiFileName) /* Remove one single hub for userName */ { char *hubDir = prefixUserFile(userName, cgiEncodeFull(cgiFileName), NULL); if (isDirectory(hubDir)) { fprintf(stderr, "deleting directory: '%s'\n", hubDir); removeHubForUser(hubDir, userName); fflush(stderr); } } void doRemoveFile(struct cartJson *cj, struct hash *paramHash) /* Process the request to remove a file */