crtxcr/qswiki
1
0
Fork 0
Code Issues 21 Pull Requests 1 Releases Activity

template: getPartPath(): Ensure return path isn't outside template dir

Browse Source 
user-input to this function might become possible soon
This commit is contained in:
Albert S. 2023-11-27 22:33:55 +01:00
parent 579fadfb10
commit 84adaa934a
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
template.cpp
View File

@ -18,6 +18,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE. SOFTWARE.
*/ */
#include <filesystem>
#include "template.h" #include "template.h"
#include "varreplacer.h" #include "varreplacer.h"
#include "urlprovider.h" #include "urlprovider.h"
@ -47,9 +48,15 @@ TemplatePage Template::getPage(const std::string &pagename)
std::string Template::getPartPath(std::string_view partname) std::string Template::getPartPath(std::string_view partname)
{ {
// TODO: utils::concatPath? C++17 paths? auto absolute_path = std::filesystem::canonical(std::filesystem::path{this->templatepath} / partname);
return this->templatepath + "/" + std::string(partname); std::string result = absolute_path.string();
if(result.starts_with(this->templatepath))
{
return result;
}
return "";
} }
std::string Template::loadPartContent(std::string_view partname) std::string Template::loadPartContent(std::string_view partname)
{ {
std::string partpath = getPartPath(partname); std::string partpath = getPartPath(partname);