Commit 5beb13b2 authored by Juliusz Chroboczek's avatar Juliusz Chroboczek

Early paranoia in group name validation.

We will fail malicious paths in openDescriptionFile, but it
doesn't harm to be paranoid early.
parent 0d0a745a
......@@ -373,8 +373,22 @@ func Add(name string, desc *Description) (*Group, error) {
return g, err
}
func validGroupName(name string) bool {
if filepath.Separator != '/' &&
strings.ContainsRune(name, filepath.Separator) {
return false
}
s := path.Clean("/" + name)
if s == "/" {
return false
}
return s == "/"+name
}
func add(name string, desc *Description) (*Group, []Client, error) {
if name == "" || strings.HasSuffix(name, "/") {
if !validGroupName(name) {
return nil, nil, UserError("illegal group name")
}
......
......@@ -245,3 +245,32 @@ func TestFmtpValue(t *testing.T) {
}
}
}
func TestValidGroupName(t *testing.T) {
type nameTest struct {
name string
result bool
}
tests := []nameTest{
{"", false},
{"/", false},
{"/foo", false},
{"foo/", false},
{"./foo", false},
{"foo/.", false},
{"../foo", false},
{"foo/..", false},
{"foo/./bar", false},
{"foo/../bar", false},
{"foo", true},
{"foo/bar", true},
}
for _, test := range tests {
r := validGroupName(test.name)
if r != test.result {
t.Errorf("Valid %v: got %v, expected %v",
test.name, r, test.result)
}
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment