diff options
Diffstat (limited to 'src/zenserver')
| -rw-r--r-- | src/zenserver/storage/projectstore/httpprojectstore.cpp | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp index 4e947f221..8742ed75f 100644 --- a/src/zenserver/storage/projectstore/httpprojectstore.cpp +++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp @@ -2900,8 +2900,24 @@ HttpProjectService::HandleRpcRequest(HttpRouterRequest& Req) { std::string_view ServerPath = View["serverpath"sv].AsString(); std::filesystem::path FilePath = Project->RootDir / ServerPath; - BasicFile DataFile; - std::error_code Ec; + if (!std::filesystem::exists(FilePath)) + { + ZEN_WARN("Attempted to read non-existent file '{}' in 'snapshot'", FilePath); + AllOk = false; + continue; + } + + std::filesystem::path CanonicalRoot = std::filesystem::canonical(Project->RootDir); + + if (!std::filesystem::canonical(FilePath).string().starts_with(CanonicalRoot.string())) + { + ZEN_WARN("Unable to read file '{}' outside of project root '{}'", FilePath, CanonicalRoot); + AllOk = false; + continue; + } + + BasicFile DataFile; + std::error_code Ec; DataFile.Open(FilePath, BasicFile::Mode::kRead, Ec); if (Ec) |