fix: check if share is within scope when creating

This commit is contained in:
Henrique Dias 2026-06-03 11:57:10 +02:00
parent 4488f5b131
commit ca019ae7d9
No known key found for this signature in database

View file

@ -15,6 +15,7 @@ import (
"golang.org/x/crypto/bcrypt"
fberrors "github.com/filebrowser/filebrowser/v2/errors"
"github.com/filebrowser/filebrowser/v2/files"
"github.com/filebrowser/filebrowser/v2/share"
)
@ -106,6 +107,16 @@ var sharePostHandler = withPermShare(func(w http.ResponseWriter, r *http.Request
return errToStatus(err), err
}
// Refuse to create a share whose on-disk target escapes the user's scope
// (e.g. via a symlink), mirroring the read/write guards. The public serve
// path already rejects these, but blocking creation avoids dangling shares.
if ok, err := files.WithinScope(d.user.Fs, r.URL.Path); err != nil || !ok {
if err != nil {
return errToStatus(err), err
}
return http.StatusForbidden, nil
}
var s *share.Link
var body share.CreateBody
if r.Body != nil {