filebrowser/files
Henrique Dias 847d08bdd1
fix: address three security disclosures (archive traversal, login DoS, symlink escape)
- http/raw.go: strip Windows backslash separators from archive entry names
  on any host. filepath.ToSlash is a no-op for "\" on Linux, so a stored
  backslash filename was emitted verbatim and could escape the extraction
  directory on Windows extractors (zip-slip). (GHSA-gxjx-7m74-hcq8)

- http/auth.go: cap the login and signup request bodies with
  http.MaxBytesReader (1 MiB). The JSON decoder previously read an
  arbitrarily large password into memory before bcrypt truncated it,
  enabling unauthenticated memory-exhaustion DoS. (GHSA-w5fm-68j4-fpc4)

- files/file.go, http/resource.go: add files.WithinScope and refuse to
  follow a symlink whose on-disk target escapes the user's scoped root,
  on both the read path (stat) and the write path (writeFile). Prevents a
  scoped user from reading/overwriting/sharing files outside their scope
  via a pre-existing escaping symlink. (GHSA-239w-m3h6-ch8v)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 11:21:00 +02:00
..
file.go fix: address three security disclosures (archive traversal, login DoS, symlink escape) 2026-06-03 11:21:00 +02:00
listing.go ci: remove goconst 2025-06-27 08:03:11 +02:00
mime.go chore: remove 'nolint' comments 2025-11-15 09:01:21 +01:00
sorting.go feat: v2 (#599) 2019-01-05 22:44:33 +00:00
utils.go feat: allow disabling file detections by reading header (#1175) 2021-01-07 11:30:17 +01:00