diff options
| author | Stefan Boberg <[email protected]> | 2026-03-20 19:58:36 +0100 |
|---|---|---|
| committer | Stefan Boberg <[email protected]> | 2026-03-20 19:58:36 +0100 |
| commit | 82620db8cfc41f80b4f0dde7d9eee92e6eb7aa0d (patch) | |
| tree | a33571101755bf390ec20f10c9dcdab7d0863e79 /src/zenserver/storage/cache/httpstructuredcache.cpp | |
| parent | Add .clangd config to strip unsupported MSVC flags (diff) | |
| download | zen-82620db8cfc41f80b4f0dde7d9eee92e6eb7aa0d.tar.xz zen-82620db8cfc41f80b4f0dde7d9eee92e6eb7aa0d.zip | |
Reject local file references in package parsing by default
- Add ParseFlags enum with kAllowLocalReferences opt-in flag
- Default to rejecting local refs in ParsePackageMessage and
CbPackageReader, protecting against path traversal from untrusted
remote clients
- Add HttpService::AcceptsLocalFileReferences() virtual (default false)
- Override to true in HttpStructuredCacheService and HttpProjectService,
which need local refs for the local UE cooker optimization
- Both server ingest paths now require IsLocalMachineRequest() AND
AcceptsLocalFileReferences() before allowing local refs
Diffstat (limited to 'src/zenserver/storage/cache/httpstructuredcache.cpp')
| -rw-r--r-- | src/zenserver/storage/cache/httpstructuredcache.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/zenserver/storage/cache/httpstructuredcache.cpp b/src/zenserver/storage/cache/httpstructuredcache.cpp index bbdb03ba4..e678033b5 100644 --- a/src/zenserver/storage/cache/httpstructuredcache.cpp +++ b/src/zenserver/storage/cache/httpstructuredcache.cpp @@ -114,6 +114,12 @@ HttpStructuredCacheService::BaseUri() const return "/z$/"; } +bool +HttpStructuredCacheService::AcceptsLocalFileReferences() const +{ + return true; +} + void HttpStructuredCacheService::Flush() { |