Check WithinScope for src and dst in resourcePatchHandler before
fileutils.Copy/MoveFile, which follow symlinks and bypassed the
stat()/writeFile() guards (GHSA-239w-m3h6-ch8v).
- http/raw.go: strip Windows backslash separators from archive entry names
on any host. filepath.ToSlash is a no-op for "\" on Linux, so a stored
backslash filename was emitted verbatim and could escape the extraction
directory on Windows extractors (zip-slip). (GHSA-gxjx-7m74-hcq8)
- http/auth.go: cap the login and signup request bodies with
http.MaxBytesReader (1 MiB). The JSON decoder previously read an
arbitrarily large password into memory before bcrypt truncated it,
enabling unauthenticated memory-exhaustion DoS. (GHSA-w5fm-68j4-fpc4)
- files/file.go, http/resource.go: add files.WithinScope and refuse to
follow a symlink whose on-disk target escapes the user's scoped root,
on both the read path (stat) and the write path (writeFile). Prevents a
scoped user from reading/overwriting/sharing files outside their scope
via a pre-existing escaping symlink. (GHSA-239w-m3h6-ch8v)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The defaults remain the same as before.
For now, the config options are global instead of per-user.
Note also that the BoltDB creation maintains the old default mode of 0640
since it's not really a user-facing filesystem manipulation.
Fixes#5316, #5200
* Fixed an issue where aborting an upload would not delete the partial upload from the server. Also fixed an issue where the abortAll function wasn't resetting and reloading the frontend properly
* Add server-side tus delete handler
---------
Co-authored-by: Oleg Lobanov <oleg@lobanov.me>
* fix: use incorrect suffix and return no 500(#1972、#1967)
* chore: set progress bar to small
Co-authored-by: Ramires Viana <59319979+ramiresviana@users.noreply.github.com>
* chore: refactoring
Co-authored-by: Oleg Lobanov <oleg@lobanov.me>
Co-authored-by: Ramires Viana <59319979+ramiresviana@users.noreply.github.com>