search

dutchcoders / transfer.sh

Easy and fast file sharing from the command-line.
https://github.com/dutchcoders/transfer.sh
MIT License
15.08k stars 1.54k forks source link

Normalize upload file name #606

Closed rumanzo closed 3 months ago

rumanzo commented 4 months ago

We found a problem, that caused due too simple input normalize.

~/projects/transfer.sh main* ❯ echo test >'%21adasd'
~/projects/transfer.sh main* ❯ curl -v --upload-file "./%0A%0D" "http://localhost:8080/%0A%0D"                                                                                                                                                                                                                       
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080
> PUT /%0A%0D HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.4.0
> Accept: */*
> Content-Length: 5
>
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Content-Type: text/plain
< Server: Transfer.sh HTTP Server
< X-Made-With: <3 by DutchCoders
< X-Served-By: Proudly served by DutchCoders
< X-Url-Delete: http://localhost:8080/8lzy2BjFp3/%0A%0D/3HDeD5tY446rktKZ88fw
< Date: Wed, 06 Mar 2024 10:06:28 GMT
< Content-Length: 39
<
* Connection #0 to host localhost left intact
http://localhost:8080/8lzy2BjFp3/%0A%0D
~/projects/transfer.sh main* ❯ ls temp/8lzy2BjFp3                                                                                                                                                                                                                                                                   
??          ??.metadata
~/projects/transfer.sh main* ❯ curl 'http://localhost:8080/8lzy2BjFp3/%0A%0D' -v                                                                                                                                                                                                                                     
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080
> GET /8lzy2BjFp3/%0A%0D HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-store
< Connection: keep-alive
< Content-Disposition: attachment; filename="  "
< Content-Length: 5
< Content-Type:
< Server: Transfer.sh HTTP Server
< Vary: Range, Referer, X-Decrypt-Password
< X-Made-With: <3 by DutchCoders
< X-Remaining-Days: n/a
< X-Remaining-Downloads: n/a
< X-Served-By: Proudly served by DutchCoders
< Date: Wed, 06 Mar 2024 15:55:26 GMT
<
test
* Connection #0 to host localhost left intact
~/projects/transfer.sh main* ❯ curl 'http://localhost:8080/8lzy2BjFp3/%0A%0D'  -H 'Accept: text/html' -v                                                                                                                                                                                                             
*   Trying [::1]:8080...
* connect to ::1 port 8080 failed: Connection refused
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080
> GET /8lzy2BjFp3/%0A%0D HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.4.0
> Accept: text/html
>
< HTTP/1.1 500 Internal Server Error
< Content-Type: text/plain; charset=utf-8
< Server: Transfer.sh HTTP Server
< Vary: Range, Referer, X-Decrypt-Password
< X-Content-Type-Options: nosniff
< X-Made-With: <3 by DutchCoders
< X-Served-By: Proudly served by DutchCoders
< Date: Wed, 06 Mar 2024 15:55:18 GMT
< Content-Length: 65
<
runtime error: invalid memory address or nil pointer dereference
* Connection #0 to host localhost left intact

If we look into https://github.com/dutchcoders/transfer.sh/blob/main/server/handlers.go#L253 filename variable when we use GET method with HEADERS, we will see "\n\r" in variable, and it's lead to runtime error. I realized filename normalization and trimming all newlines in user input in sanitize function

aspacca commented 4 months ago

hi @rumanzo , thanks for the PR, please, see my comments