go/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-11-23 22:04:50 +02:00
Code Issues Releases Activity

windows: try to escape trailing double quote in user input

Browse Source 
we try to remove the trailing double quote for user input such as this one

sftpgo.exe serve -c "C:\ProgramData\SFTPGO\"

the value for the -c flag is parsed as:

C:\ProgramData\SFTPGO"

this is what the user specified, but the user want this value:

C:\ProgramData\SFTPGO

so we try to remove the trailing double quote.

Please note that we cannot do anything for something like this:

-c "C:\ProgramData\SFTPGO\" -l "sftpgo.log"

in this case the -l flag will be ignored and the value for the c flag is:

C:\ProgramData\SFTPGO" -l sftpgo.log

and so probably it is invalid. This is definitely a bad user input
This commit is contained in:
Nicola Murino
2020-03-04 09:27:14 +01:00
parent f9fc5792fd
commit 31d285813e
8 changed files with 29 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
utils/utils.go
View File

@@ -20,6 +20,7 @@ import (
"os"
"path"
"path/filepath"
"runtime"
"strings"
"time"
@@ -299,3 +300,19 @@ func IsFileInputValid(fileInput string) bool {
}
return true
}
// CleanDirInput sanitizes user input for directories.
// On Windows it removes any trailing `"`.
// We try to help windows users that set an invalid path such as "C:\ProgramData\SFTPGO\".
// This will only help if the invalid path is the last argument, for example in this command:
// sftpgo.exe serve -c "C:\ProgramData\SFTPGO\" -l "sftpgo.log"
// the -l flag will be ignored and the -c flag will get the value `C:\ProgramData\SFTPGO" -l sftpgo.log`
// since the backslash after SFTPGO escape the double quote. This is definitely a bad user input
func CleanDirInput(dirInput string) string {
if runtime.GOOS == "windows" {
for strings.HasSuffix(dirInput, "\"") {
dirInput = strings.TrimSuffix(dirInput, "\"")
}
}
return filepath.Clean(dirInput)
}