1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
From: Lennart Weller <lhw@ring0.de>
Date: Mon, 5 Sep 2016 14:53:06 +0200
Subject: remove file serve restrictions for symlinks
---
src/web_client.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/src/web_client.c b/src/web_client.c
index 4036d4c..a7cc424 100644
--- a/src/web_client.c
+++ b/src/web_client.c
@@ -325,33 +325,33 @@ int mysendfile(struct web_client *w, char *filename)
snprintfz(webfilename, FILENAME_MAX, "%s/%s", web_dir, filename);
// check if the file exists
- struct stat stat;
- if(lstat(webfilename, &stat) != 0) {
+ struct stat wstat;
+ if(stat(webfilename, &wstat) != 0) {
debug(D_WEB_CLIENT_ACCESS, "%llu: File '%s' is not found.", w->id, webfilename);
buffer_sprintf(w->response.data, "File '%s' does not exist, or is not accessible.", webfilename);
return 404;
}
// check if the file is owned by expected user
- if(stat.st_uid != web_files_uid()) {
- error("%llu: File '%s' is owned by user %u (expected user %u). Access Denied.", w->id, webfilename, stat.st_uid, web_files_uid());
+ if(wstat.st_uid != web_files_uid()) {
+ error("%llu: File '%s' is owned by user %u (expected user %u). Access Denied.", w->id, webfilename, wstat.st_uid, web_files_uid());
buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename);
return 403;
}
// check if the file is owned by expected group
- if(stat.st_gid != web_files_gid()) {
- error("%llu: File '%s' is owned by group %u (expected group %u). Access Denied.", w->id, webfilename, stat.st_gid, web_files_gid());
+ if(wstat.st_gid != web_files_gid()) {
+ error("%llu: File '%s' is owned by group %d (expected group %d). Access Denied.", w->id, webfilename, wstat.st_gid, web_files_gid());
buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename);
return 403;
}
- if((stat.st_mode & S_IFMT) == S_IFDIR) {
+ if((wstat.st_mode & S_IFMT) == S_IFDIR) {
snprintfz(webfilename, FILENAME_MAX, "%s/index.html", filename);
return mysendfile(w, webfilename);
}
- if((stat.st_mode & S_IFMT) != S_IFREG) {
+ if((wstat.st_mode & S_IFMT) != S_IFREG) {
error("%llu: File '%s' is not a regular file. Access Denied.", w->id, webfilename);
buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename);
return 403;
@@ -399,14 +399,14 @@ int mysendfile(struct web_client *w, char *filename)
else if(strstr(filename, ".icns") != NULL) w->response.data->contenttype = CT_IMAGE_ICNS;
else w->response.data->contenttype = CT_APPLICATION_OCTET_STREAM;
- debug(D_WEB_CLIENT_ACCESS, "%llu: Sending file '%s' (%ld bytes, ifd %d, ofd %d).", w->id, webfilename, stat.st_size, w->ifd, w->ofd);
+ debug(D_WEB_CLIENT_ACCESS, "%llu: Sending file '%s' (%ld bytes, ifd %d, ofd %d).", w->id, webfilename, wstat.st_size, w->ifd, w->ofd);
w->mode = WEB_CLIENT_MODE_FILECOPY;
w->wait_receive = 1;
w->wait_send = 0;
buffer_flush(w->response.data);
- w->response.rlen = stat.st_size;
- w->response.data->date = stat.st_mtim.tv_sec;
+ w->response.rlen = wstat.st_size;
+ w->response.data->date = wstat.st_mtim.tv_sec;
return 200;
}
|
