diff options
| author | cm-jishnu <jishnunambiarcm@duck.com> | 2022-12-02 12:45:27 +0300 |
|---|---|---|
| committer | Jishnu C M <jishnunambiarcm@duck.com> | 2022-12-16 07:57:51 +0300 |
| commit | 5a19396d081c5cb68d3e880529ecd552d1c4f5a0 (patch) | |
| tree | 6f3fd06f7857300f1a077fcb7b32c64ccf4ccc74 /include/ibm | |
| parent | 1e3f85e68076b6270ce3afcae71a88f5b71fbfb8 (diff) | |
| download | bmcweb-5a19396d081c5cb68d3e880529ecd552d1c4f5a0.tar.xz | |
Restrict use of subfolder in configfiles path
GET function on the config files path now lists all the contents
including sub directories. Creation of subdirectories under config files
is not allowed from the UI, however its possible to create manually.
If we try to access a subfolder with GET command, bmcweb handle the
folder name as file name and crashes trying to open.
Hence we limit the use of subfolder under config files by not listing
them in the response of the GET command. And returning an error if the
user is trying to run a GET on subfolder created manually.
Tested:
Create subfolder under configfiles path
curl -k -H "X-Auth-Token: $bmc_token" -X GET -D patch1.txt
https://${bmc}/ibm/v1/Host/ConfigFiles
Without fix:
Lists all contents of the ConfigFiles folder
With Fix:
lists only the regular files
Run the command with subfolder
curl -k -H "X-Auth-Token: $bmc_token" -X GET -D patch1.txt
https://${bmc}/ibm/v1/Host/ConfigFiles/testfolder
Without fix:
bmcweb crashes
With the fix:
“Description”: “Resource Not Found”
Change-Id: I71ef5523c6bc425e880a28a6e1175c677ef0a102
Signed-off-by: Jishnu C M <jishnunambiarcm@duck.com>
Diffstat (limited to 'include/ibm')
| -rw-r--r-- | include/ibm/management_console_rest.hpp | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/include/ibm/management_console_rest.hpp b/include/ibm/management_console_rest.hpp index 97ac497aec..34befd7fb1 100644 --- a/include/ibm/management_console_rest.hpp +++ b/include/ibm/management_console_rest.hpp @@ -243,8 +243,11 @@ inline void for (const auto& file : std::filesystem::directory_iterator(loc)) { const std::filesystem::path& pathObj = file.path(); - pathObjList.push_back("/ibm/v1/Host/ConfigFiles/" + - pathObj.filename().string()); + if (std::filesystem::is_regular_file(pathObj)) + { + pathObjList.push_back("/ibm/v1/Host/ConfigFiles/" + + pathObj.filename().string()); + } } } asyncResp->res.jsonValue["@odata.type"] = @@ -302,7 +305,7 @@ inline void handleFileGet(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp, BMCWEB_LOG_DEBUG << "HandleGet on SaveArea files on path: " << fileID; std::filesystem::path loc( "/var/lib/bmcweb/ibm-management-console/configfiles/" + fileID); - if (!std::filesystem::exists(loc)) + if (!std::filesystem::exists(loc) || !std::filesystem::is_regular_file(loc)) { BMCWEB_LOG_ERROR << loc.string() << " Not found"; asyncResp->res.result(boost::beast::http::status::not_found); |