diff options
Diffstat (limited to 'debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch')
-rw-r--r-- | debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch | 37 |
1 files changed, 23 insertions, 14 deletions
diff --git a/debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch b/debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch index 9b607044e..7a4d7af2b 100644 --- a/debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch +++ b/debian/patches/0002-remove-file-serve-restrictions-for-symlinks.patch @@ -1,14 +1,16 @@ From: Lennart Weller <lhw@ring0.de> -Date: Mon, 5 Sep 2016 14:53:06 +0200 +Date: Tue, 24 Jan 2017 16:48:19 +0100 Subject: remove file serve restrictions for symlinks --- - src/web_client.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) + src/web_client.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) +diff --git a/src/web_client.c b/src/web_client.c +index 4b6ccf6..59c695e 100644 --- a/src/web_client.c +++ b/src/web_client.c -@@ -325,33 +325,33 @@ +@@ -327,8 +327,8 @@ int mysendfile(struct web_client *w, char *filename) snprintfz(webfilename, FILENAME_MAX, "%s/%s", web_dir, filename); // check if the file exists @@ -17,8 +19,9 @@ Subject: remove file serve restrictions for symlinks + struct stat wstat; + if(stat(webfilename, &wstat) != 0) { debug(D_WEB_CLIENT_ACCESS, "%llu: File '%s' is not found.", w->id, webfilename); - buffer_sprintf(w->response.data, "File '%s' does not exist, or is not accessible.", webfilename); - return 404; + buffer_strcat(w->response.data, "File does not exist, or is not accessible: "); + buffer_strcat_htmlescape(w->response.data, webfilename); +@@ -336,27 +336,27 @@ int mysendfile(struct web_client *w, char *filename) } // check if the file is owned by expected user @@ -26,7 +29,8 @@ Subject: remove file serve restrictions for symlinks - error("%llu: File '%s' is owned by user %u (expected user %u). Access Denied.", w->id, webfilename, stat.st_uid, web_files_uid()); + if(wstat.st_uid != web_files_uid()) { + error("%llu: File '%s' is owned by user %u (expected user %u). Access Denied.", w->id, webfilename, wstat.st_uid, web_files_uid()); - buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); + buffer_strcat(w->response.data, "Access to file is not permitted: "); + buffer_strcat_htmlescape(w->response.data, webfilename); return 403; } @@ -34,8 +38,9 @@ Subject: remove file serve restrictions for symlinks - if(stat.st_gid != web_files_gid()) { - error("%llu: File '%s' is owned by group %u (expected group %u). Access Denied.", w->id, webfilename, stat.st_gid, web_files_gid()); + if(wstat.st_gid != web_files_gid()) { -+ error("%llu: File '%s' is owned by group %d (expected group %d). Access Denied.", w->id, webfilename, wstat.st_gid, web_files_gid()); - buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); ++ error("%llu: File '%s' is owned by group %u (expected group %u). Access Denied.", w->id, webfilename, wstat.st_gid, web_files_gid()); + buffer_strcat(w->response.data, "Access to file is not permitted: "); + buffer_strcat_htmlescape(w->response.data, webfilename); return 403; } @@ -48,9 +53,9 @@ Subject: remove file serve restrictions for symlinks - if((stat.st_mode & S_IFMT) != S_IFREG) { + if((wstat.st_mode & S_IFMT) != S_IFREG) { error("%llu: File '%s' is not a regular file. Access Denied.", w->id, webfilename); - buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); - return 403; -@@ -399,14 +399,14 @@ + buffer_strcat(w->response.data, "Access to file is not permitted: "); + buffer_strcat_htmlescape(w->response.data, webfilename); +@@ -407,17 +407,17 @@ int mysendfile(struct web_client *w, char *filename) else if(strstr(filename, ".icns") != NULL) w->response.data->contenttype = CT_IMAGE_ICNS; else w->response.data->contenttype = CT_APPLICATION_OCTET_STREAM; @@ -62,9 +67,13 @@ Subject: remove file serve restrictions for symlinks w->wait_send = 0; buffer_flush(w->response.data); - w->response.rlen = stat.st_size; -- w->response.data->date = stat.st_mtim.tv_sec; + w->response.rlen = wstat.st_size; + #ifdef __APPLE__ +- w->response.data->date = stat.st_mtimespec.tv_sec; ++ w->response.data->date = wstat.st_mtimespec.tv_sec; + #else +- w->response.data->date = stat.st_mtim.tv_sec; + w->response.data->date = wstat.st_mtim.tv_sec; + #endif /* __APPLE__ */ buffer_cacheable(w->response.data); - return 200; |