Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix LFI in zola serve #2258

Merged
merged 2 commits into from
Aug 4, 2023
Merged

Fix LFI in zola serve #2258

merged 2 commits into from
Aug 4, 2023

Conversation

adeadfed
Copy link
Contributor

IMPORTANT: Please do not create a Pull Request adding a new feature without discussing it first.

The place to discuss new features is the forum: https://zola.discourse.group/
If you want to add a new feature, please open a thread there first in the feature requests section.

Sanity check:

  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

Code changes

(Delete or ignore this section for documentation changes)

  • Are you doing the PR on the next branch?

If the change is a new feature or adding to/changing an existing one:

  • Have you created/updated the relevant documentation page(s)?

@adeadfed
Copy link
Contributor Author

Fix for #2257

@Keats Keats merged commit fe1967f into getzola:next Aug 4, 2023
@Keats
Copy link
Collaborator

Keats commented Aug 4, 2023

Thanks!

peterprototypes pushed a commit to peterprototypes/zola that referenced this pull request Sep 12, 2023
@adeadfed @peterprototypes
Fix LFI in zola serve (getzola#2258)
8eb751c 
* use fs canonicalize to prevent path traversal

* fix cargo fmt
technimad pushed a commit to technimad/zola that referenced this pull request Sep 30, 2023
@adeadfed
Fix LFI in zola serve (getzola#2258)
fa82846 
* use fs canonicalize to prevent path traversal

* fix cargo fmt
Keats pushed a commit that referenced this pull request Dec 18, 2023
@adeadfed @Keats
Fix LFI in zola serve (#2258)
208c506 
* use fs canonicalize to prevent path traversal

* fix cargo fmt
stanistan added a commit to stanistan/zola that referenced this pull request Jan 2, 2024
@stanistan
fix(serve): content can be served from output_path
11b265b 
This fixes a bug introduced in getzola#2258

The issue arose when `output_path` was relative. The request being
served would be canonicalized and this would be a string. So, for
example, if you were serving content from `public` the code
[right after](https://github.com/getzola/zola/blob/38199c125501e9ff0e700e96adaca72cc3f25d2b/src/cmd/serve.rs#L144-L147)
the canonicalization checking if
`root.starts_with(original_root)` would always return `false` since
an absolute path, `/some/path/to/content` would never start with a
string like `public`.
@stanistan stanistan mentioned this pull request Jan 2, 2024
Merged
3 tasks
stanistan added a commit to stanistan/zola that referenced this pull request Jan 2, 2024
@stanistan
fix(serve): content can be served from output_path
ac4c54d 
This fixes a bug introduced in getzola#2258

The issue arose when `output_path` was relative. The request being
served would be canonicalized and this would be a string. So, for
example, if you were serving content from `public` the code
[right after](https://github.com/getzola/zola/blob/38199c125501e9ff0e700e96adaca72cc3f25d2b/src/cmd/serve.rs#L144-L147)
the canonicalization checking if
`root.starts_with(original_root)` would always return `false` since
an absolute path, `/some/path/to/content` would never start with a
string like `public`.
stanistan added a commit to stanistan/zola that referenced this pull request Jan 2, 2024
@stanistan
fix(serve): content can be served from output_path
df19f5e 
This fixes a bug introduced in getzola#2258

The issue arose when `output_path` was relative. The request being
served would be canonicalized and this would be a string. So, for
example, if you were serving content from `public` the code
[right after](https://github.com/getzola/zola/blob/38199c125501e9ff0e700e96adaca72cc3f25d2b/src/cmd/serve.rs#L144-L147)
the canonicalization checking if
`root.starts_with(original_root)` would always return `false` since
an absolute path, `/some/path/to/content` would never start with a
string like `public`.
Keats pushed a commit that referenced this pull request Jan 7, 2024
@stanistan
fix(serve): content can be served from output_path (#2398)
42ea1b4 
This fixes a bug introduced in #2258

The issue arose when `output_path` was relative. The request being
served would be canonicalized and this would be a string. So, for
example, if you were serving content from `public` the code
[right after](https://github.com/getzola/zola/blob/38199c125501e9ff0e700e96adaca72cc3f25d2b/src/cmd/serve.rs#L144-L147)
the canonicalization checking if
`root.starts_with(original_root)` would always return `false` since
an absolute path, `/some/path/to/content` would never start with a
string like `public`.
veluca93 pushed a commit to veluca93/zola that referenced this pull request May 14, 2024
@stanistan @veluca93
fix(serve): content can be served from output_path (getzola#2398)
0282c62 
This fixes a bug introduced in getzola#2258

The issue arose when `output_path` was relative. The request being
served would be canonicalized and this would be a string. So, for
example, if you were serving content from `public` the code
[right after](https://github.com/getzola/zola/blob/38199c125501e9ff0e700e96adaca72cc3f25d2b/src/cmd/serve.rs#L144-L147)
the canonicalization checking if
`root.starts_with(original_root)` would always return `false` since
an absolute path, `/some/path/to/content` would never start with a
string like `public`.
Keats pushed a commit that referenced this pull request Jun 20, 2024
@stanistan @Keats
fix(serve): content can be served from output_path (#2398)
13a4d9d 
This fixes a bug introduced in #2258

The issue arose when `output_path` was relative. The request being
served would be canonicalized and this would be a string. So, for
example, if you were serving content from `public` the code
[right after](https://github.com/getzola/zola/blob/38199c125501e9ff0e700e96adaca72cc3f25d2b/src/cmd/serve.rs#L144-L147)
the canonicalization checking if
`root.starts_with(original_root)` would always return `false` since
an absolute path, `/some/path/to/content` would never start with a
string like `public`.
berdandy pushed a commit to berdandy/azola that referenced this pull request Sep 17, 2024
@stanistan @berdandy
fix(serve): content can be served from output_path (getzola#2398)
3e1c5db 
This fixes a bug introduced in getzola#2258

The issue arose when `output_path` was relative. The request being
served would be canonicalized and this would be a string. So, for
example, if you were serving content from `public` the code
[right after](https://github.com/getzola/zola/blob/38199c125501e9ff0e700e96adaca72cc3f25d2b/src/cmd/serve.rs#L144-L147)
the canonicalization checking if
`root.starts_with(original_root)` would always return `false` since
an absolute path, `/some/path/to/content` would never start with a
string like `public`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adeadfed @Keats