strawberries/wiki-maker
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added theoretical path traversal security, and fixed assets url

Browse Source
This commit is contained in:
eiiko6
2026-02-23 23:53:45 +01:00
parent 6111096a8c
commit c9697b1778
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/rendering.rs
View File

@@ -24,7 +24,19 @@ pub async fn render_wiki_page(
no_navigation: bool, no_navigation: bool,
is_static: bool, is_static: bool,
) -> Result<String, String> { ) -> Result<String, String> {
let toml_path = docs_dir.join(filename); let toml_path = docs_dir
.join(filename)
.canonicalize()
.map_err(|_| "Not found")?;
let canonical_root = docs_dir
.canonicalize()
.map_err(|_| "Server Error: Invalid Root")?;
if !toml_path.starts_with(&canonical_root) {
return Err("Access Denied".to_string());
}
let toml_content = tokio::fs::read_to_string(&toml_path) let toml_content = tokio::fs::read_to_string(&toml_path)
.await .await
.map_err(|_| "Page configuration not found".to_string())?; .map_err(|_| "Page configuration not found".to_string())?;

2
templates/page.html
View File

@@ -15,7 +15,7 @@
<aside class="wiki-sidebar"> <aside class="wiki-sidebar">
{% if main_image %} {% if main_image %}
<div class="sidebar-image"> <div class="sidebar-image">
<img src="{% if is_static %}{{ main_image }}{% else %}/assets/{{ main_image }}{% endif %}" alt="{{ title }}"> <img src="{% if is_static %}{{ main_image }}{% else %}assets/{{ main_image }}{% endif %}" alt="{{ title }}">
</div> </div>
{% endif %} {% endif %}