mirror of
https://akkoma.dev/AkkomaGang/akkoma.git
synced 2024-11-26 07:52:17 +00:00
Resolve information disclosure vulnerability through emoji pack archive download endpoint
This commit is contained in:
parent
babb4b9a8f
commit
7e45343f81
|
@ -287,6 +287,7 @@ defmodule Pleroma.Emoji.Pack do
|
|||
|
||||
@spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
|
||||
def load_pack(name) do
|
||||
name = Path.basename(name)
|
||||
pack_file = Path.join([emoji_path(), name, "pack.json"])
|
||||
|
||||
with {:ok, _} <- File.stat(pack_file),
|
||||
|
|
|
@ -90,4 +90,8 @@ defmodule Pleroma.Emoji.PackTest do
|
|||
|
||||
assert updated_pack.files_count == 1
|
||||
end
|
||||
|
||||
test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
|
||||
assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue