contrib/nitiwiki: use absolute paths to detect access outside the source dir

author Alexis Laferrière <alexis.laf@xymus.net>

Tue, 8 Dec 2015 13:28:48 +0000 (08:28 -0500)

committer Alexis Laferrière <alexis.laf@xymus.net>

Tue, 8 Dec 2015 15:08:29 +0000 (10:08 -0500)
author Alexis Laferrière <alexis.laf@xymus.net>
Tue, 8 Dec 2015 13:28:48 +0000 (08:28 -0500)
committer Alexis Laferrière <alexis.laf@xymus.net>
Tue, 8 Dec 2015 15:08:29 +0000 (10:08 -0500)
diff --git a/contrib/nitiwiki/src/wiki_edit.nit b/contrib/nitiwiki/src/wiki_edit.nit

index 22faa25..7dd6012 100644 (file)
--- a/contrib/nitiwiki/src/wiki_edit.nit
+++ b/contrib/nitiwiki/src/wiki_edit.nit
@@ -94,7 +94,10 @@ class EditAction
                 var file_path = turi.strip_leading_slash
                 file_path = wiki_root / file_path
  
-               if not file_path.simplify_path.has_prefix(source_dir) then
+               var abs_file_path = file_path.to_absolute_path
+               var abs_source_dir = source_dir.to_absolute_path
+
+               if not abs_file_path.has_prefix(abs_source_dir) then
                         # Attempting to access a file outside the source directory
                         var entity = new WikiEditForm(wiki, turi.strip_leading_slash,
                                 "Access denied: ", "", "<p>Target outside of the source directory</p>")
@@ -166,6 +169,11 @@ redef class String
                 if has_prefix("/") then return substring_from(1)
                 return self
         end
+
+       private fun to_absolute_path: String
+       do
+               return (getcwd / self).simplify_path
+       end
  end
  
  var config_file_path = "config.ini"
author	Alexis Laferrière <alexis.laf@xymus.net>
	Tue, 8 Dec 2015 13:28:48 +0000 (08:28 -0500)
committer	Alexis Laferrière <alexis.laf@xymus.net>
	Tue, 8 Dec 2015 15:08:29 +0000 (10:08 -0500)