From bf4cca631c04fa09a5a3081278aeca6b22e4f1d2 Mon Sep 17 00:00:00 2001 From: Sarah Jamie Lewis Date: Wed, 9 Mar 2022 14:32:21 -0800 Subject: [PATCH 1/2] Properly remove bad profile dir --- app/app.go | 2 +- peer/storage.go | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/app.go b/app/app.go index b9947ff..bd89143 100644 --- a/app/app.go +++ b/app/app.go @@ -129,7 +129,7 @@ func (app *application) AddPeerPlugin(onion string, pluginID plugins.PluginID) { func (app *application) ImportProfile(exportedCwtchFile string, password string) (peer.CwtchPeer, error) { profileDirectory := path.Join(app.directory, "profiles") profile, err := peer.ImportProfile(exportedCwtchFile, profileDirectory, password) - if err == nil { + if profile != nil || err == nil { app.installProfile(profile) } return profile, err diff --git a/peer/storage.go b/peer/storage.go index 89bcf76..57120ba 100644 --- a/peer/storage.go +++ b/peer/storage.go @@ -191,7 +191,8 @@ func ImportProfile(exportedCwtchFile string, profilesDir string, password string return profile, err } // Otherwise purge - os.RemoveAll(filepath.Join(profilesDir, profileDir)) + log.Errorf("error importing profile: %v. removing %s", err, profileDir) + os.RemoveAll(profileDir) return nil, err } return nil, err -- 2.25.1 From ff91300c3973e5aabcfcc51d67e79d6c62ef89f7 Mon Sep 17 00:00:00 2001 From: Sarah Jamie Lewis Date: Wed, 9 Mar 2022 15:52:24 -0800 Subject: [PATCH 2/2] Adding extra checks to import tarball profile name --- peer/storage.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/peer/storage.go b/peer/storage.go index 57120ba..68db73b 100644 --- a/peer/storage.go +++ b/peer/storage.go @@ -5,6 +5,7 @@ import ( "compress/gzip" "crypto/rand" "database/sql" + "encoding/hex" "errors" "fmt" "git.openprivacy.ca/openprivacy/log" @@ -238,6 +239,11 @@ func checkCwtchProfileBackupFile(srcFile string) (string, error) { dir := parts[0] profileFileType := parts[1] + _, hexErr := hex.DecodeString(dir) + if dir == "." || dir == ".." || len(dir) !=32 || hexErr != nil { + return "", errors.New("invalid profile name") + } + if profileName == "" { profileName = dir } @@ -293,6 +299,12 @@ func importCwtchProfileBackupFile(srcFile string, profilesDir string) error { } dir := parts[0] base := parts[1] + + _, hexErr := hex.DecodeString(dir) + if dir == "." || dir == ".." || len(dir) != 32 || hexErr != nil { + return errors.New("invalid profile name") + } + if profileName == "" { profileName = dir } -- 2.25.1