fix: disallow shares for non-existent paths

This commit is contained in:
Henrique Dias 2026-06-03 11:43:22 +02:00
parent 85b7d2762d
commit 166583db63
No known key found for this signature in database

View file

@ -99,6 +99,13 @@ var shareDeleteHandler = withPermShare(func(_ http.ResponseWriter, r *http.Reque
})
var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request, d *data) (int, error) {
// Only allow sharing paths that currently exist. Otherwise a share could be
// created for a non-existent path and would silently start exposing
// whatever file later appears there.
if _, err := d.user.Fs.Stat(r.URL.Path); err != nil {
return errToStatus(err), err
}
var s *share.Link
var body share.CreateBody
if r.Body != nil {