Date: Monday, April 26, 2021 @ 21:27:17 Author: jelle Revision: 924564
Fix path traversal seucirty issue https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-p528-555r-pf87 Added: hedgedoc/trunk/fix-path-traversal.patch Modified: hedgedoc/trunk/PKGBUILD --------------------------+ PKGBUILD | 13 ++++++++++--- fix-path-traversal.patch | 31 +++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-04-26 20:18:16 UTC (rev 924563) +++ PKGBUILD 2021-04-26 21:27:17 UTC (rev 924564) @@ -2,7 +2,7 @@ pkgname=hedgedoc pkgver=1.7.2 -pkgrel=2 +pkgrel=3 pkgdesc="Platform to write and share markdown" arch=('any') url='https://github.com/hedgedoc/hedgedoc' @@ -16,13 +16,20 @@ source=("${pkgname}-${pkgver}.tar.gz::https://github.com/hedgedoc/${pkgname}/archive/${pkgver}.tar.gz" "sysusers.conf" "tmpfiles.conf" - "hedgedoc.service") + "hedgedoc.service" + "fix-path-traversal.patch") options=(!emptydirs) sha1sums=('d9420b702529558bddcbc7686ba8f0ce76e8b3c9' 'dc4220c9d7e21d2b5b5c54462bb681375d1cce62' 'faee704ac2e65e565f7bdcb527c2d0c73c20e682' - 'c0a8ea9c6a27a1810c56365609d9b42d8d2ed935') + 'c0a8ea9c6a27a1810c56365609d9b42d8d2ed935' + '4bd0cac60dcf67812cc5a232305073ee08bd558f') +prepare() { + cd "${pkgname}-${pkgver}" + patch -Np1 -i "${srcdir}"/fix-path-traversal.patch +} + build() { cd "${pkgname}-${pkgver}" # Build steps from Dockerfile Added: fix-path-traversal.patch =================================================================== --- fix-path-traversal.patch (rev 0) +++ fix-path-traversal.patch 2021-04-26 21:27:17 UTC (rev 924564) @@ -0,0 +1,31 @@ +diff --git a/lib/models/note.js b/lib/models/note.js +index 9fe02359..49b7ce84 100644 +--- a/lib/models/note.js ++++ b/lib/models/note.js +@@ -96,7 +96,7 @@ module.exports = function (sequelize, DataTypes) { + if (!note.alias) { + filePath = config.defaultNotePath + } else { +- filePath = path.join(config.docsPath, note.alias + '.md') ++ filePath = path.join(config.docsPath, path.basename(note.alias) + '.md') + } + if (Note.checkFileExist(filePath)) { + var fsCreatedTime = moment(fs.statSync(filePath).ctime) +@@ -195,7 +195,7 @@ module.exports = function (sequelize, DataTypes) { + } + }).then(function (note) { + if (note) { +- let filePath = path.join(config.docsPath, noteId + '.md') ++ let filePath = path.join(config.docsPath, path.basename(noteId) + '.md') + if (Note.checkFileExist(filePath)) { + // if doc in filesystem have newer modified time than last change time + // then will update the doc in db +@@ -237,7 +237,7 @@ module.exports = function (sequelize, DataTypes) { + return callback(null, note.id) + } + } else { +- var filePath = path.join(config.docsPath, noteId + '.md') ++ var filePath = path.join(config.docsPath, path.basename(noteId) + '.md') + if (Note.checkFileExist(filePath)) { + Note.create({ + alias: noteId,