nikdoof/rustical
1
1
Fork 0
mirror of https://github.com/lennart-k/rustical.git synced 2026-01-30 12:58:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

dav: Check Host matching for MV,COPY

Browse Source
This commit is contained in:
Lennart
2026-01-19 12:37:35 +01:00
parent f73658b32f
commit 3460a2821e
2 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
crates/dav/src/resource/methods/copy.rs
View File

@@ -6,12 +6,15 @@ use axum::{
extract::{MatchedPath, Path, State}, extract::{MatchedPath, Path, State},
response::{IntoResponse, Response}, response::{IntoResponse, Response},
}; };
use axum_extra::TypedHeader;
use headers::Host;
use http::{HeaderMap, StatusCode, Uri}; use http::{HeaderMap, StatusCode, Uri};
use matchit_serde::ParamsDeserializer; use matchit_serde::ParamsDeserializer;
use serde::Deserialize; use serde::Deserialize;
use tracing::instrument; use tracing::instrument;
#[instrument(skip(path, resource_service,))] #[instrument(skip(path, resource_service,))]
#[allow(clippy::too_many_arguments)]
pub async fn axum_route_copy<R: ResourceService>( pub async fn axum_route_copy<R: ResourceService>(
Path(path): Path<R::PathComponents>, Path(path): Path<R::PathComponents>,
State(resource_service): State<R>, State(resource_service): State<R>,
@@ -20,6 +23,7 @@ pub async fn axum_route_copy<R: ResourceService>(
Overwrite(overwrite): Overwrite, Overwrite(overwrite): Overwrite,
matched_path: MatchedPath, matched_path: MatchedPath,
header_map: HeaderMap, header_map: HeaderMap,
TypedHeader(host): TypedHeader<Host>,
) -> Result<Response, R::Error> { ) -> Result<Response, R::Error> {
let destination = header_map let destination = header_map
.get("Destination") .get("Destination")
@@ -27,7 +31,11 @@ pub async fn axum_route_copy<R: ResourceService>(
.to_str() .to_str()
.map_err(|_| crate::Error::Forbidden)?; .map_err(|_| crate::Error::Forbidden)?;
let destination_uri: Uri = destination.parse().map_err(|_| crate::Error::Forbidden)?; let destination_uri: Uri = destination.parse().map_err(|_| crate::Error::Forbidden)?;
// TODO: Check that host also matches if let Some(authority) = destination_uri.authority()
&& host != authority.clone().into()
{
return Err(crate::Error::Forbidden.into());
}
let destination = destination_uri.path(); let destination = destination_uri.path();
let mut router = matchit::Router::new(); let mut router = matchit::Router::new();

10
crates/dav/src/resource/methods/mv.rs
View File

@@ -6,12 +6,15 @@ use axum::{
extract::{MatchedPath, Path, State}, extract::{MatchedPath, Path, State},
response::{IntoResponse, Response}, response::{IntoResponse, Response},
}; };
use axum_extra::TypedHeader;
use headers::Host;
use http::{HeaderMap, StatusCode, Uri}; use http::{HeaderMap, StatusCode, Uri};
use matchit_serde::ParamsDeserializer; use matchit_serde::ParamsDeserializer;
use serde::Deserialize; use serde::Deserialize;
use tracing::instrument; use tracing::instrument;
#[instrument(skip(path, resource_service,))] #[instrument(skip(path, resource_service,))]
#[allow(clippy::too_many_arguments)]
pub async fn axum_route_move<R: ResourceService>( pub async fn axum_route_move<R: ResourceService>(
Path(path): Path<R::PathComponents>, Path(path): Path<R::PathComponents>,
State(resource_service): State<R>, State(resource_service): State<R>,
@@ -20,6 +23,7 @@ pub async fn axum_route_move<R: ResourceService>(
Overwrite(overwrite): Overwrite, Overwrite(overwrite): Overwrite,
matched_path: MatchedPath, matched_path: MatchedPath,
header_map: HeaderMap, header_map: HeaderMap,
TypedHeader(host): TypedHeader<Host>,
) -> Result<Response, R::Error> { ) -> Result<Response, R::Error> {
let destination = header_map let destination = header_map
.get("Destination") .get("Destination")
@@ -27,7 +31,11 @@ pub async fn axum_route_move<R: ResourceService>(
.to_str() .to_str()
.map_err(|_| crate::Error::Forbidden)?; .map_err(|_| crate::Error::Forbidden)?;
let destination_uri: Uri = destination.parse().map_err(|_| crate::Error::Forbidden)?; let destination_uri: Uri = destination.parse().map_err(|_| crate::Error::Forbidden)?;
// TODO: Check that host also matches if let Some(authority) = destination_uri.authority()
&& host != authority.clone().into()
{
return Err(crate::Error::Forbidden.into());
}
let destination = destination_uri.path(); let destination = destination_uri.path();
let mut router = matchit::Router::new(); let mut router = matchit::Router::new();