j62
/
ctbrec
2
2
Fork 2
Code Issues 9 Pull Requests Packages Projects Releases 3 Wiki Activity

Fix path check bug in HlsServlet and support dir symlinks 

String.startsWith() comparison for the canonical recording dir
did not always check the last component correctly:

recordingDir: /path/to/dir
request: ../dirOther/filename
This commit is contained in:
0xboobface 2019-12-17 21:18:29 +01:00
parent 88735d93ee
commit ab81fa4c94
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
server/src/main/java/ctbrec/recorder/server/HlsServlet.java
View File

@ -4,6 +4,8 @@ import static javax.servlet.http.HttpServletResponse.*;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
@ -30,10 +32,12 @@ public class HlsServlet extends AbstractCtbrecServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String contextPath = getServletContext().getContextPath();
String request = req.getRequestURI().substring(contextPath.length() + 5);
File recordingsDir = new File(config.getSettings().recordingsDir);
File requestedFile = new File(recordingsDir, request);
Path recordingsDirPath = Paths.get(config.getSettings().recordingsDir).toAbsolutePath().normalize();
Path requestedFilePath = recordingsDirPath.resolve(request).toAbsolutePath().normalize();
if (requestedFile.getCanonicalPath().startsWith(config.getSettings().recordingsDir)) {
boolean isValidRequestedPath = requestedFilePath.startsWith(recordingsDirPath);
if (isValidRequestedPath) {
File requestedFile = requestedFilePath.toFile();
if (requestedFile.getName().equals("playlist.m3u8")) {
try {
boolean isRequestAuthenticated = checkAuthentication(req, req.getRequestURI());