From ca019ae7d966a7c28de2b2341271cd13e3458ae6 Mon Sep 17 00:00:00 2001 From: Henrique Dias Date: Wed, 3 Jun 2026 11:57:10 +0200 Subject: [PATCH] fix: check if share is within scope when creating --- http/share.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/http/share.go b/http/share.go index a0a15dc9..c73f5daf 100644 --- a/http/share.go +++ b/http/share.go @@ -15,6 +15,7 @@ import ( "golang.org/x/crypto/bcrypt" fberrors "github.com/filebrowser/filebrowser/v2/errors" + "github.com/filebrowser/filebrowser/v2/files" "github.com/filebrowser/filebrowser/v2/share" ) @@ -106,6 +107,16 @@ var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request return errToStatus(err), err } + // Refuse to create a share whose on-disk target escapes the user's scope + // (e.g. via a symlink), mirroring the read/write guards. The public serve + // path already rejects these, but blocking creation avoids dangling shares. + if ok, err := files.WithinScope(d.user.Fs, r.URL.Path); err != nil || !ok { + if err != nil { + return errToStatus(err), err + } + return http.StatusForbidden, nil + } + var s *share.Link var body share.CreateBody if r.Body != nil {