uup-dump/api
8
0
Fork 2
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix potential path traversal vulnerabilities

Browse Source
This commit is contained in:
Kaenbyou Rin
2025-09-20 00:20:02 +02:00
parent 84a149c044
commit 887dcf71d3
3 changed files with 37 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
shared/fileinfo.php
View File

@@ -31,6 +31,9 @@ function uupApiGetFileinfoDirs() {
} }
function uupApiGetFileinfoName($updateId, $meta = false) { function uupApiGetFileinfoName($updateId, $meta = false) {
if(!uupApiCheckUpdateId($updateId))
return null;
$fileName = $updateId.'.json'; $fileName = $updateId.'.json';
$dirs = uupApiGetFileinfoDirs(); $dirs = uupApiGetFileinfoDirs();
@@ -41,7 +44,12 @@ function uupApiGetFileinfoName($updateId, $meta = false) {
} }
function uupApiFileInfoExists($updateId) { function uupApiFileInfoExists($updateId) {
return file_exists(uupApiGetFileinfoName($updateId)); $name = uupApiGetFileinfoName($updateId);
if($name === null)
return false;
return file_exists($name);
} }
function uupApiWriteFileinfoMeta($updateId, $info) { function uupApiWriteFileinfoMeta($updateId, $info) {
@@ -49,12 +57,19 @@ function uupApiWriteFileinfoMeta($updateId, $info) {
unset($info['files']); unset($info['files']);
$file = uupApiGetFileinfoName($updateId, true); $file = uupApiGetFileinfoName($updateId, true);
if($file === null)
return false;
return uupApiWriteJson($file, $info); return uupApiWriteJson($file, $info);
} }
function uupApiWriteFileinfo($updateId, $info) { function uupApiWriteFileinfo($updateId, $info) {
$file = uupApiGetFileinfoName($updateId); $file = uupApiGetFileinfoName($updateId);
if($file === null)
return false;
if(uupApiWriteJson($file, $info) === false) if(uupApiWriteJson($file, $info) === false)
return false; return false;
@@ -64,10 +79,14 @@ function uupApiWriteFileinfo($updateId, $info) {
function uupApiReadFileinfoMeta($updateId) { function uupApiReadFileinfoMeta($updateId) {
$file = uupApiGetFileinfoName($updateId, true); $file = uupApiGetFileinfoName($updateId, true);
if($file === null)
return false;
if(file_exists($file)) if(file_exists($file))
return uupApiReadJson($file); return uupApiReadJson($file);
$info = uupApiReadFileinfo($updateId, false); $info = uupApiReadFileinfo($updateId, false);
if($info === false) if($info === false)
return false; return false;
@@ -88,6 +107,10 @@ function uupApiReadFileinfo($updateId, $meta = false) {
return uupApiReadFileinfoMeta($updateId); return uupApiReadFileinfoMeta($updateId);
$file = uupApiGetFileinfoName($updateId); $file = uupApiGetFileinfoName($updateId);
if($file === null)
return false;
$info = uupApiReadJson($file); $info = uupApiReadJson($file);
return $info; return $info;

15
shared/packs.php
View File

@@ -16,6 +16,7 @@ limitations under the License.
*/ */
require_once dirname(__FILE__).'/../listid.php'; require_once dirname(__FILE__).'/../listid.php';
require_once dirname(__FILE__).'/utils.php';
function uupGetInfoTexts() { function uupGetInfoTexts() {
$fancyLangNames = array( $fancyLangNames = array(
@@ -204,11 +205,19 @@ function uupGetInfoTexts() {
} }
function uupApiGetPacks($updateId) { function uupApiGetPacks($updateId) {
if(empty($updateId)) return []; if(empty($updateId))
if(!file_exists('packs/'.$updateId.'.json.gz')) return []; return [];
if(!uupApiCheckUpdateId($updateId))
return [];
if(!file_exists('packs/'.$updateId.'.json.gz'))
return [];
$genPack = @gzdecode(@file_get_contents('packs/'.$updateId.'.json.gz')); $genPack = @gzdecode(@file_get_contents('packs/'.$updateId.'.json.gz'));
if(empty($genPack)) return [];
if(empty($genPack))
return [];
$genPack = json_decode($genPack, 1); $genPack = json_decode($genPack, 1);
return $genPack; return $genPack;

2
shared/utils.php
View File

@@ -19,7 +19,7 @@ function uupApiPrintBrand() {
global $uupApiBrandPrinted; global $uupApiBrandPrinted;
if(!isset($uupApiBrandPrinted)) { if(!isset($uupApiBrandPrinted)) {
consoleLogger('UUP dump API v'.uupApiVersion()); consoleLogger('UUP dump API');
$uupApiBrandPrinted = 1; $uupApiBrandPrinted = 1;
} }
} }