matt
October 21, 2016, 1:14pm
2
Never seen this before! Do you have read permissions in that directory or to that file?
bugmenot
October 21, 2016, 7:55pm
3
Hey Matt,
upload /upload {
Details:
This throws the ‘exploding’ text:
}
fileName := part.FileName()
if fileName == "" {
continue
}
_, retval, err := h.WriteOneHTTPBlob(scope, config, fileName, part.Header.Get("Content-Length"), part)
if err != nil {
// Don't use the fileName here: it is controlled by the user.
return retval, errors.Wrap(err, "MIME Multipart exploding failed on part "+strconv.Itoa(partNum))
}
}
return http.StatusOK, nil
}
// Translates the 'scope' into a proper directory, and extracts the filename from the resulting string.
func (h *Handler) translateForFilesystem(scope, providedName string, config *ScopeConfiguration) (fsPath, fsFilename string, err error) {
// 'uc' is freely controlled by the uploader
uc := strings.TrimPrefix(providedName, scope) // "/upload/mine/my.blob" → "/mine/my.blob"
Going down to (Throwing 422):
anticipatedSize string, r io.Reader) (uint64, int, error) {
expectBytes, _ := strconv.ParseUint(anticipatedSize, 10, 64)
if anticipatedSize != "" && expectBytes <= 0 {
return 0, http.StatusLengthRequired, errLengthInvalid
// Usually 411 is used for the outermost element.
// We don't require any length; but it must be valid if given.
}
path, fname, err := h.translateForFilesystem(scope, fileName, config)
if err != nil {
return 0, 422, err // 422: unprocessable entity
}
if config.RandomizedSuffixLength > 0 {
extension := filepath.Ext(fname)
basename := strings.TrimSuffix(fname, extension)
if basename == "" {
fname = printableSuffix(config.RandomizedSuffixLength) + extension
} else {
fname = basename + "_" + printableSuffix(config.RandomizedSuffixLength) + extension
}
Which fails in:
if err != nil {
// Don't use the fileName here: it is controlled by the user.
return retval, errors.Wrap(err, "MIME Multipart exploding failed on part "+strconv.Itoa(partNum))
}
}
return http.StatusOK, nil
}
// Translates the 'scope' into a proper directory, and extracts the filename from the resulting string.
func (h *Handler) translateForFilesystem(scope, providedName string, config *ScopeConfiguration) (fsPath, fsFilename string, err error) {
// 'uc' is freely controlled by the uploader
uc := strings.TrimPrefix(providedName, scope) // "/upload/mine/my.blob" → "/mine/my.blob"
s := filepath.Join(config.WriteToPath, strings.TrimLeft(uc, "./")) // → "/var/mine/my.blob"
// stop any childish path trickery here
translated := filepath.Clean(s) // "/var/mine/../mine/my.blob" → "/var/mine/my.blob"
if !strings.HasPrefix(translated, config.WriteToPath) {
err = os.ErrPermission
return
}
P.S.:
Cheers!
matt
October 21, 2016, 11:10pm
4
You should file an issue on that plugin’s repository, it could be overlooked here. (Sorry, I wish I had the means to help you more on it right now!)
1 Like
wmark
January 9, 2017, 11:15pm
5
We’ve covered this in a different ticket, I think. But leaving this here in case someone else runs into this:
The target directory for uploads should be an absolute one. That is, something like /var/www/dir is highly recommended, because a plugin outside the scope of caddy or upload could change the working directory itself resulting in grief when having used relative directories, which now, that caddy switched from eager checks of paths, point somewhere else.
»Implode/explode elements e to/from a serialization form c« is programmer’s slang from the nineties. (»Explode strings from array…«) Slightly related, other eastern eggs you might spot on the internet are descriptions to returns codes 200 Here you go (instead of OK), or 403 Verboten.
system
April 9, 2017, 11:15pm
6
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
