WithinScope compared targets against root+separator, which produced
"//" when the scope resolved to "/". No path matched, so every write
was rejected with os.ErrPermission (HTTP 403), breaking saves and
uploads for root-scoped installs. Skip the appended separator when root
already ends in one.
- http/raw.go: strip Windows backslash separators from archive entry names
on any host. filepath.ToSlash is a no-op for "\" on Linux, so a stored
backslash filename was emitted verbatim and could escape the extraction
directory on Windows extractors (zip-slip). (GHSA-gxjx-7m74-hcq8)
- http/auth.go: cap the login and signup request bodies with
http.MaxBytesReader (1 MiB). The JSON decoder previously read an
arbitrarily large password into memory before bcrypt truncated it,
enabling unauthenticated memory-exhaustion DoS. (GHSA-w5fm-68j4-fpc4)
- files/file.go, http/resource.go: add files.WithinScope and refuse to
follow a symlink whose on-disk target escapes the user's scoped root,
on both the read path (stat) and the write path (writeFile). Prevents a
scoped user from reading/overwriting/sharing files outside their scope
via a pre-existing escaping symlink. (GHSA-239w-m3h6-ch8v)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The defaults remain the same as before.
For now, the config options are global instead of per-user.
Note also that the BoltDB creation maintains the old default mode of 0640
since it's not really a user-facing filesystem manipulation.
Fixes#5316, #5200
This changes allows to password protect shares. It works by:
* Allowing to optionally pass a password when creating a share
* If set, the password + salt that is configured via a new flag will be
hashed via bcrypt and the hash stored together with the rest of the
share
* Additionally, a random 96 byte long token gets generated and stored
as part of the share
* When the backend retrieves an unauthenticated request for a share that
has authentication configured, it will return a http 401
* The frontend detects this and will show a login prompt
* The actual download links are protected via an url arg that contains
the previously generated token. This allows us to avoid buffering the
download in the browser and allows pasting the link without breaking
it