README.md: Fix CMake build instructions

The previous instructions were simply wrong because `cmake ..` would attempt to configure the project from the parent directory, instead of the build directory.
page.c: Do not get filename on previews
2024-05-05 01:07:01 +02:00 · 2024-03-01 00:06:03 +01:00 · 2024-02-24 08:39:25 +01:00 · 2024-02-20 21:44:53 +01:00 · 2024-02-20 21:24:17 +01:00 · 2024-02-20 08:18:11 +01:00
4 changed files with 35 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -59,13 +59,13 @@ to `slcl`. If required, encryption should be done before uploading e.g.: using
 #### Mandatory packages

 ```sh
-sudo apt install build-essential libcjson-dev libssl-dev
+sudo apt install build-essential libcjson-dev libssl-dev m4 jq
 ```

 #### Optional packages

 ```sh
-sudo apt install cmake xxd jq
+sudo apt install cmake
 ```

 ## How to use
@ -90,9 +90,8 @@ $ make
 #### CMake

 ```sh
-$ mkdir build/
-$ cmake ..
-$ cmake --build .
+$ cmake -B build
+$ cmake --build build/
 ```

 ### Setting up
--- a/main.c
+++ b/main.c
@ -395,16 +395,22 @@ static bool path_isrel(const char *const path)
 {
    if (!strcmp(path, "..")
        || !strcmp(path, ".")
-        || !strcmp(path, "./")
-        || !strcmp(path, "../")
+        || !strncmp(path, "./", strlen("./"))
+        || !strncmp(path, "../", strlen("../"))
+        || strstr(path, "/./")
        || strstr(path, "/../"))
        return true;

-    static const char suffix[] = "/..";
-    const size_t n = strlen(path), sn = strlen(suffix);
+    static const char *const suffixes[] = {"/.", "/.."};

-    if (n >= sn && !strcmp(path + n - sn, suffix))
-        return true;
+    for (size_t i = 0; i < sizeof suffixes / sizeof *suffixes; i++)
+    {
+        const char *const suffix = suffixes[i];
+        const size_t n = strlen(path), sn = strlen(suffix);
+
+        if (n >= sn && !strcmp(path + n - sn, suffix))
+            return true;
+    }

    return false;
 }
@ -429,7 +435,8 @@ static int getpublic(const struct http_payload *const p,
 {
    int ret = -1;
    struct auth *const a = user;
-    const char *const adir = auth_dir(a);
+    const char *const adir = auth_dir(a),
+        *const file = p->resource + strlen("/public/");
    struct dynstr d;

    dynstr_init(&d);
@ -439,6 +446,13 @@ static int getpublic(const struct http_payload *const p,
        fprintf(stderr, "%s: auth_dir failed\n", __func__);
        goto end;
    }
+    else if (!*file || filename_invalid(file))
+    {
+        fprintf(stderr, "%s: invalid filename %s\n",
+            __func__, p->resource);
+        ret = page_forbidden(r);
+        goto end;
+    }
    else if (path_invalid(p->resource))
    {
        fprintf(stderr, "%s: illegal relative path %s\n",
--- a/page.c
+++ b/page.c
@ -1305,7 +1305,15 @@ static int serve_file(struct http_response *const r,
    dynstr_init(&b);
    dynstr_init(&d);

-    if (dynstr_append(&b, "%s", res))
+    if (preview)
+    {
+        if (dynstr_append(&d, "inline"))
+        {
+            fprintf(stderr, "%s: dynstr_append inline failed\n", __func__);
+            goto end;
+        }
+    }
+    else if (dynstr_append(&b, "%s", res))
    {
        fprintf(stderr, "%s: dynstr_append res failed\n", __func__);
        goto end;
@ -1315,14 +1323,6 @@ static int serve_file(struct http_response *const r,
        fprintf(stderr, "%s: basename(3) failed\n", __func__);
        goto end;
    }
-    else if (preview)
-    {
-        if (dynstr_append(&d, "inline"))
-        {
-            fprintf(stderr, "%s: dynstr_append inline failed\n", __func__);
-            goto end;
-        }
-    }
    else if (dynstr_append(&d, "attachment; filename=\"%s\"", bn))
    {
        fprintf(stderr, "%s: dynstr_append attachment failed\n", __func__);
--- a/2
+++ b/2
@ -93,5 +93,5 @@ jq ".users += [
    \"quota\": \"$QUOTA\"
 }]" "$DB" > $TMP

-mkdir "$DIR/user/$USER"
+mkdir -p "$DIR/user/$USER"
 mv $TMP "$DB"
Author	SHA1	Message	Date
Xavier Del Campo Romero	32af8ddd3d	README.md: Fix CMake build instructions The previous instructions were simply wrong because `cmake ..` would attempt to configure the project from the parent directory, instead of the build directory.	2024-05-05 01:07:01 +02:00
Xavier Del Campo Romero	b4572c6217	page.c: Do not get filename on previews This change should provide the same behaviour, but would avoid unnecessary calls to dynstr_append and basename(3) when a preview is to be served.	2024-03-01 00:06:03 +01:00
Xavier Del Campo Romero	fb8896bccd	README.md: Update dependencies list - jq is required by usergen. - Despite being part of a POSIX.1-2008 environment, m4 is not provided by Debian or Ubuntu by default.	2024-02-24 08:39:25 +01:00
Xavier Del Campo Romero	dd29f9096a	usergen: Do not abort on existing directory Otherwise, it would not be possible to replace user credentials if the directory already exists.	2024-02-20 21:44:53 +01:00
Xavier Del Campo Romero	8bcf0bf855	main.c: Improve relative path detection Otherwise, the following resources would be considered valid: - /user/../test - /user/./test - /user/a/. - /user/a/./test	2024-02-20 21:24:17 +01:00
Xavier Del Campo Romero	afc5cf0dfc	main.c: Reject invalid /public/ requests Otherwise: - slcl would accept /public/ (i.e., without a file name) as a valid resource. This would incorrectly map the public/ directory on the database, making slcl to return -1 because public/ is not a regular file. - slcl would accept directory names (e.g.: /public/dir/), which is never expected since slcl stores all public files into a single directory.	2024-02-20 08:18:11 +01:00