fix: hard patch that CVE O1 found

This commit is contained in:
Xory 2024-09-29 12:16:13 +03:00
parent 8ff1aca4de
commit 07800d69c0

View file

@ -14,6 +14,11 @@ pub fn handle_client(mut connection: TcpStream, target_dir: &String) -> std::io:
return Ok(()) return Ok(())
} }
let client_desired_file_path = format!("{}/{}", target_dir, &header.split(" ").collect::<Vec<&str>>()[1][1..]); // Your code is not optimised if it doesn't make an inexperienced rustdev have a heart attack. let client_desired_file_path = format!("{}/{}", target_dir, &header.split(" ").collect::<Vec<&str>>()[1][1..]); // Your code is not optimised if it doesn't make an inexperienced rustdev have a heart attack.
if client_desired_file_path.contains("..") {
connection.shutdown(Shutdown::Both)?;
println!("You should kill yourself... NOW!");
return Ok(())
}
dbg!(&client_desired_file_path); dbg!(&client_desired_file_path);
// let file_size: usize = fs::metadata(client_desired_file_path)?.len().try_into().unwrap(); // let file_size: usize = fs::metadata(client_desired_file_path)?.len().try_into().unwrap();
// let mut buffer = vec![0 as u8; file_size]; // Nuke the buffer. // let mut buffer = vec![0 as u8; file_size]; // Nuke the buffer.