search

getreu / tp-note

Minimalistic note taking: save and edit your clipboard content as a note file (Gitlab mirror)
https://blog.getreu.net/projects/tp-note/
Apache License 2.0
116 stars 3 forks source link

Viewer: relax security check for foreign paths #6

Closed getreu closed 3 years ago

getreu commented 3 years ago

So far, the viewer only serves files that are located in the notes directory or in one of its subdirectories. As by default, annotation notes are always stored in the same directory than the to be annotated file, this security feature did not manifest as a restriction.

But, as #5 shows, some people prefer to store their notes in a separate directory, which can be easily realized either by modifying the tmpl_annotate_* templates or by a wrapper script invoking tp-note (see #5).

In order to better support this use case, the viewer's above security feature could be relaxed a bit: it could allow not only to follow links below the note's directory, but also allow following links that start one node above.

It should be mentioned in this context, that tp-note comes with 2 other complementary security features:

  1. the viewer only serves files, that are explicitly referenced as links in the note file
  2. the viewer serves only files, whose file extension is part of the registered (see configuration file) file extensions and mime types

Conclusion

Relaxing the above described restriction seems tenable.

PS

It turns out, that at least Firefox resolves http://localhost:42829/../image.jpg to http://localhost:42829/image.jpg.

getreu commented 3 years ago

Commit 6d906b33c0c43454f2bc69d4ac75a5fa7104f514 closes #6.