~repos /rust-embed
git clone
https://pyrossh.dev/repos/rust-embed.git
Discussions:
https://groups.google.com/g/rust-embed-devs
rust macro which loads files into the rust binary at compile time during release and loads the file from the fs during dev.
e7c5447d
—
Buckram 1 year ago
add todo
- impl/src/lib.rs +4 -0
impl/src/lib.rs
CHANGED
|
@@ -142,6 +142,10 @@ fn dynamic(ident: &syn::Ident, folder_path: String, prefix: Option<&str>, includ
|
|
|
142
142
|
if !canonical_file_path.starts_with(#canonical_folder_path) {
|
|
143
143
|
// Tried to request a path that is not in the embedded folder
|
|
144
144
|
|
|
145
|
+
// TODO: Currently it allows "path_traversal_attack" for the symlink files
|
|
146
|
+
// For it to be working properly we need to get absolute path first
|
|
147
|
+
// and check that instead if it starts with `canonical_folder_path`
|
|
148
|
+
// https://doc.rust-lang.org/std/path/fn.absolute.html (currently nightly)
|
|
145
149
|
// Should be allowed only if it was a symlink
|
|
146
150
|
let metadata = ::std::fs::symlink_metadata(file_path.as_path()).ok()?;
|
|
147
151
|
if !metadata.is_symlink() {
|