[arch-commits] Commit in hedgedoc/trunk (PKGBUILD fix-path-traversal.patch)
Jelle van der Waa
jelle at archlinux.org
Mon Apr 26 21:27:17 UTC 2021
Date: Monday, April 26, 2021 @ 21:27:17
Author: jelle
Revision: 924564
Fix path traversal seucirty issue
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87
Added:
hedgedoc/trunk/fix-path-traversal.patch
Modified:
hedgedoc/trunk/PKGBUILD
--------------------------+
PKGBUILD | 13 ++++++++++---
fix-path-traversal.patch | 31 +++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-04-26 20:18:16 UTC (rev 924563)
+++ PKGBUILD 2021-04-26 21:27:17 UTC (rev 924564)
@@ -2,7 +2,7 @@
pkgname=hedgedoc
pkgver=1.7.2
-pkgrel=2
+pkgrel=3
pkgdesc="Platform to write and share markdown"
arch=('any')
url='https://github.com/hedgedoc/hedgedoc'
@@ -16,13 +16,20 @@
source=("${pkgname}-${pkgver}.tar.gz::https://github.com/hedgedoc/${pkgname}/archive/${pkgver}.tar.gz"
"sysusers.conf"
"tmpfiles.conf"
- "hedgedoc.service")
+ "hedgedoc.service"
+ "fix-path-traversal.patch")
options=(!emptydirs)
sha1sums=('d9420b702529558bddcbc7686ba8f0ce76e8b3c9'
'dc4220c9d7e21d2b5b5c54462bb681375d1cce62'
'faee704ac2e65e565f7bdcb527c2d0c73c20e682'
- 'c0a8ea9c6a27a1810c56365609d9b42d8d2ed935')
+ 'c0a8ea9c6a27a1810c56365609d9b42d8d2ed935'
+ '4bd0cac60dcf67812cc5a232305073ee08bd558f')
+prepare() {
+ cd "${pkgname}-${pkgver}"
+ patch -Np1 -i "${srcdir}"/fix-path-traversal.patch
+}
+
build() {
cd "${pkgname}-${pkgver}"
# Build steps from Dockerfile
Added: fix-path-traversal.patch
===================================================================
--- fix-path-traversal.patch (rev 0)
+++ fix-path-traversal.patch 2021-04-26 21:27:17 UTC (rev 924564)
@@ -0,0 +1,31 @@
+diff --git a/lib/models/note.js b/lib/models/note.js
+index 9fe02359..49b7ce84 100644
+--- a/lib/models/note.js
++++ b/lib/models/note.js
+@@ -96,7 +96,7 @@ module.exports = function (sequelize, DataTypes) {
+ if (!note.alias) {
+ filePath = config.defaultNotePath
+ } else {
+- filePath = path.join(config.docsPath, note.alias + '.md')
++ filePath = path.join(config.docsPath, path.basename(note.alias) + '.md')
+ }
+ if (Note.checkFileExist(filePath)) {
+ var fsCreatedTime = moment(fs.statSync(filePath).ctime)
+@@ -195,7 +195,7 @@ module.exports = function (sequelize, DataTypes) {
+ }
+ }).then(function (note) {
+ if (note) {
+- let filePath = path.join(config.docsPath, noteId + '.md')
++ let filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
+ if (Note.checkFileExist(filePath)) {
+ // if doc in filesystem have newer modified time than last change time
+ // then will update the doc in db
+@@ -237,7 +237,7 @@ module.exports = function (sequelize, DataTypes) {
+ return callback(null, note.id)
+ }
+ } else {
+- var filePath = path.join(config.docsPath, noteId + '.md')
++ var filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
+ if (Note.checkFileExist(filePath)) {
+ Note.create({
+ alias: noteId,
More information about the arch-commits
mailing list