fix(restore): validate database file names in zip archive
Check that database entries in the zip have a .json suffix and a non-empty base name before slicing the extension off. This prevents a panic from index-out-of-range when the filename is too short. Also use TrimPrefix instead of ReplaceAll for correctness.
This commit is contained in:
parent
7971500467
commit
3c0ea7099e
|
|
@ -81,7 +81,10 @@ func Restore(filename string, overrideConfig bool) error {
|
|||
continue
|
||||
}
|
||||
if strings.HasPrefix(file.Name, "database/") {
|
||||
fname := strings.ReplaceAll(file.Name, "database/", "")
|
||||
fname := strings.TrimPrefix(file.Name, "database/")
|
||||
if !strings.HasSuffix(fname, ".json") || len(fname) <= 5 {
|
||||
return fmt.Errorf("invalid database file name in zip archive: %q", file.Name)
|
||||
}
|
||||
dbfiles[fname[:len(fname)-5]] = file
|
||||
continue
|
||||
}
|
||||
|
|
@ -90,7 +93,7 @@ func Restore(filename string, overrideConfig bool) error {
|
|||
continue
|
||||
}
|
||||
if strings.HasPrefix(file.Name, "files/") {
|
||||
filesFiles[strings.ReplaceAll(file.Name, "files/", "")] = file
|
||||
filesFiles[strings.TrimPrefix(file.Name, "files/")] = file
|
||||
continue
|
||||
}
|
||||
if file.Name == "VERSION" {
|
||||
|
|
|
|||
Loading…
Reference in New Issue