~repos /rust-embed
git clone
https://pyrossh.dev/repos/rust-embed.git
Discussions:
https://groups.google.com/g/rust-embed-devs
rust macro which loads files into the rust binary at compile time during release and loads the file from the fs during dev.
47e1f89c
—
Buckram 1 year ago
Fixed symlinks in debug mode
- impl/src/lib.rs +10 -1
impl/src/lib.rs
CHANGED
|
@@ -141,7 +141,16 @@ fn dynamic(ident: &syn::Ident, folder_path: String, prefix: Option<&str>, includ
|
|
|
141
141
|
let canonical_file_path = file_path.canonicalize().ok()?;
|
|
142
142
|
if !canonical_file_path.starts_with(#canonical_folder_path) {
|
|
143
143
|
// Tried to request a path that is not in the embedded folder
|
|
144
|
+
|
|
145
|
+
// Should be allowed only if it was a symlink
|
|
146
|
+
// TODO: Currently it allows "path_traversal_attack" for the symlink files
|
|
147
|
+
// For it to be working properly we need to get absolute path first
|
|
148
|
+
// and check that instead if it starts with `canonical_folder_path`
|
|
149
|
+
// https://doc.rust-lang.org/std/path/fn.absolute.html (currently nightly)
|
|
150
|
+
let metadata = ::std::fs::metadata(file_path.as_path()).ok()?;
|
|
151
|
+
if !metadata.is_symlink() {
|
|
144
|
-
|
|
152
|
+
return ::std::option::Option::None;
|
|
153
|
+
}
|
|
145
154
|
}
|
|
146
155
|
|
|
147
156
|
if rust_embed::utils::is_path_included(&rel_file_path, INCLUDES, EXCLUDES) {
|