Disallow uploading to files/fitnesse.

You can possibly upload css, javascript and page templates. Fixes unclebob#702
oliverkuntze · Mar 15, 2016 · d114aef · d114aef
1 parent df9a45e
commit d114aef
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 2 deletions.
diff --git a/FitNesseRoot/files/fitnesse/README.txt b/FitNesseRoot/files/fitnesse/README.txt
@@ -1,6 +1,9 @@
-This section will contain the resources.
+This section will contain custom resources (css, templates).
 
-Users can override files in files/fitnesse or add their own (e.g. a custom
+NOTE: You can not upload files to files/fitnesse via FitNesse. Instead add
+files directly.
+
+You can override files in files/fitnesse or add your own (e.g. a custom
 theme). Both the render engine (Velocity) and the FileResponder check
 files/fitnesse and the fitnesse.resources package when looking for a particular
 file.

diff --git a/src/fitnesse/responders/files/FileResponder.java b/src/fitnesse/responders/files/FileResponder.java
@@ -166,6 +166,11 @@ public static boolean isInFilesDirectory(File rootPath, File file) throws IOExce
             file.getCanonicalFile());
   }
 
+  public static boolean isInFilesFitNesseDirectory(File rootPath, File file) throws IOException {
+    return isInSubDirectory(new File(new File(rootPath, "files"), "fitnesse").getCanonicalFile(),
+            file.getCanonicalFile());
+  }
+
   private static boolean isInSubDirectory(File dir, File file) {
     return file != null && (file.equals(dir) || isInSubDirectory(dir, file.getParentFile()));
   }

diff --git a/src/fitnesse/responders/files/UploadResponder.java b/src/fitnesse/responders/files/UploadResponder.java
@@ -45,6 +45,9 @@ public Response makeResponse(FitNesseContext context, Request request) throws IO
       if (!FileResponder.isInFilesDirectory(new File(rootPath), file)) {
         return new ErrorResponder("Invalid path: " + uploadedFile.getName()).makeResponse(context, request);
       }
+      if (FileResponder.isInFilesFitNesseDirectory(new File(rootPath), file)) {
+        return new ErrorResponder("It is not allowed to upload files in the files/fitnesse section.").makeResponse(context, request);
+      }
 
       context.versionsController.makeVersion(new FileVersion() {
 

diff --git a/test/fitnesse/responders/files/UploadResponderTest.java b/test/fitnesse/responders/files/UploadResponderTest.java
@@ -139,4 +139,14 @@ public void canNotUploadFileOutsideFilesSectionWithInvalidResource() throws Exce
   }
 
 
+  @Test
+  public void canNotUploadInFilesFitNesseFolder() throws Exception {
+    request.addUploadedFile("file", new UploadedFile("sourceFilename.txt", "plain/text", testFile));
+    request.setResource("files/fitnesse/");
+
+    SimpleResponse response = (SimpleResponse) responder.makeResponse(context, request);
+
+    assertTrue("Not the correct error message", response.getContent().contains("It is not allowed to upload files in the files/fitnesse section."));
+  }
+
 }