search

jgm / gitit

A wiki using HAppS, pandoc, and git
GNU General Public License v2.0
2.16k stars 225 forks source link

IllegalResourceName on edit when repository-path set to ../wikidata #539

Open torinthiel opened 8 years ago

torinthiel commented 8 years ago

When I set repository-path: ../wikidata in the config file, gitit starts and serves pages correctly. Also correctly gets updates made via git. However if I log in and edit page using the web interface, I can edit and preview normally, but when I try to save the only message I get is 

Server error: IllegalResourceName

This depends specifically on that setting - I have a plain default config file, with this one change. Changing it to default wikidata works. It's not a problem with slash or dot, as ./wikidata and foo/wikidata work correctly. It appears to be problem specifically with parent directory. Workaround with ./../wikidata does not work.

I've tried ../foo/wikidata and it has created the repository and than gave me the same error message on command line, and exited. Subsequent runs failed to create default pages, but otherwise work identically - I can view and edit via git, but cannot edit via web interface.

jgm commented 8 years ago

This comes from filestore.

See the comment on line 138 of Data/FileStore/Utils.hs:

-- | Inquire of a certain directory whether another file lies within its ambit.
--   This is basically asking whether the file is 'above' the directory in the filesystems's
--   directory tree. Useful for checking the legality of a filename.
--   Note: due to changes in canonicalizePath in ghc 7, we no longer have
--   a reliable way to do this; so isInsideDir is False whenever either
--   the file or the directory contains "..".
isInsideDir :: FilePath -> FilePath -> Bool
isInsideDir name dir = dir `isPrefixOf` name
  && not (".." `isInfixOf` dir) && not (".." `isInfixOf` name)

We used to canonicalize the paths to do this check reliably, but as the comment indicates, something changed that made this not work. (I don't recall what ... I don't even think I was responsible for this commit.)

There may be a way to do what we used to do with canonicalizePath, but for now we're doing an overly aggressive check that prohibits you from having .. in your wikidata path.

+++ Wacław Schiller [Feb 13 16 12:59 ]:

When I set repository-path: ../wikidata in the config file, gitit starts and serves pages correctly. Also correctly gets updates made via git. However if I log in and edit page using the web interface, I can edit and preview normally, but when I try to save the only message I get is Server error: IllegalResourceName

This depends specifically on that setting - I have a plain default config file, with this one change. Changing it to default wikidata works. It's not a problem with slash or dot, as ./wikidata and foo/wikidata work correctly. It appears to be problem specifically with parent directory. Workaround with ./../wikidata does not work.

I've tried ../foo/wikidata and it has created the repository and than gave me the same error message on command line, and exited. Subsequent runs failed to create default pages, but otherwise work identically - I can view and edit via git, but cannot edit via web interface.

— Reply to this email directly or [1]view it on GitHub.

References

  1. https://github.com/jgm/gitit/issues/539