diff options
| author | Stefan Boberg <[email protected]> | 2026-03-20 19:58:36 +0100 |
|---|---|---|
| committer | Stefan Boberg <[email protected]> | 2026-03-20 19:58:36 +0100 |
| commit | 82620db8cfc41f80b4f0dde7d9eee92e6eb7aa0d (patch) | |
| tree | a33571101755bf390ec20f10c9dcdab7d0863e79 /src/zenhttp/httpserver.cpp | |
| parent | Add .clangd config to strip unsupported MSVC flags (diff) | |
| download | zen-82620db8cfc41f80b4f0dde7d9eee92e6eb7aa0d.tar.xz zen-82620db8cfc41f80b4f0dde7d9eee92e6eb7aa0d.zip | |
Reject local file references in package parsing by default
- Add ParseFlags enum with kAllowLocalReferences opt-in flag
- Default to rejecting local refs in ParsePackageMessage and
CbPackageReader, protecting against path traversal from untrusted
remote clients
- Add HttpService::AcceptsLocalFileReferences() virtual (default false)
- Override to true in HttpStructuredCacheService and HttpProjectService,
which need local refs for the local UE cooker optimization
- Both server ingest paths now require IsLocalMachineRequest() AND
AcceptsLocalFileReferences() before allowing local refs
Diffstat (limited to 'src/zenhttp/httpserver.cpp')
| -rw-r--r-- | src/zenhttp/httpserver.cpp | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/src/zenhttp/httpserver.cpp b/src/zenhttp/httpserver.cpp index ce3440f9a..d15ef7a00 100644 --- a/src/zenhttp/httpserver.cpp +++ b/src/zenhttp/httpserver.cpp @@ -479,6 +479,12 @@ HttpService::HandlePackageRequest(HttpServerRequest& HttpServiceRequest) return Ref<IHttpPackageHandler>(); } +bool +HttpService::AcceptsLocalFileReferences() const +{ + return false; +} + ////////////////////////////////////////////////////////////////////////// HttpServerRequest::HttpServerRequest(HttpService& Service) : m_Service(Service) @@ -705,7 +711,9 @@ HttpServerRequest::ReadPayloadPackage() { if (IoBuffer Payload = ReadPayload()) { - return ParsePackageMessage(std::move(Payload)); + ParseFlags Flags = + (IsLocalMachineRequest() && m_Service.AcceptsLocalFileReferences()) ? ParseFlags::kAllowLocalReferences : ParseFlags::kDefault; + return ParsePackageMessage(std::move(Payload), {}, Flags); } return {}; @@ -1259,7 +1267,10 @@ HandlePackageOffers(HttpService& Service, HttpServerRequest& Request, Ref<IHttpP return PackageHandlerRef->CreateTarget(Cid, Size); }; - CbPackage Package = ParsePackageMessage(Request.ReadPayload(), CreateBuffer); + ParseFlags PkgFlags = (Request.IsLocalMachineRequest() && Service.AcceptsLocalFileReferences()) + ? ParseFlags::kAllowLocalReferences + : ParseFlags::kDefault; + CbPackage Package = ParsePackageMessage(Request.ReadPayload(), CreateBuffer, PkgFlags); PackageHandlerRef->OnRequestComplete(); } |