backport 5571 (#5573)

techknowlogick · lunny · commit 21c70e1ed274 · 2018-12-21T16:22:56.000+08:00
diff --git a/routers/repo/editor.go b/routers/repo/editor.go
@@ -559,6 +559,17 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
 	ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + branchName + "/" + form.TreePath)
 }
 
+func cleanUploadFileName(name string) string {
+	name = strings.TrimLeft(name, "./\\")
+	name = strings.Replace(name, "../", "", -1)
+	name = strings.Replace(name, "..\\", "", -1)
+	name = strings.TrimPrefix(path.Clean(name), ".git/")
+	if name == ".git" {
+		return ""
+	}
+	return name
+}
+
 // UploadFileToServer upload file to server file dir not git
 func UploadFileToServer(ctx *context.Context) {
 	file, header, err := ctx.Req.FormFile("file")
@@ -591,7 +602,13 @@ func UploadFileToServer(ctx *context.Context) {
 		}
 	}
 
-	upload, err := models.NewUpload(header.Filename, buf, file)
+	name := cleanUploadFileName(header.Filename)
+	if len(name) == 0 {
+		ctx.Error(500, "Upload file name is invalid")
+		return
+	}
+
+	upload, err := models.NewUpload(name, buf, file)
 	if err != nil {
 		ctx.Error(500, fmt.Sprintf("NewUpload: %v", err))
 		return
diff --git a/routers/repo/editor_test.go b/routers/repo/editor_test.go
@@ -0,0 +1,30 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package repo
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCleanUploadName(t *testing.T) {
+	models.PrepareTestEnv(t)
+
+	var kases = map[string]string{
+		".git/refs/master": "git/refs/master",
+		"/root/abc":        "root/abc",
+		"./../../abc":      "abc",
+		"a/../.git":        "a/.git",
+		"a/../../../abc":   "a/abc",
+		"../../../acd":     "acd",
+		"../../.git/abc":   "git/abc",
+		"..\\..\\.git/abc": "git/abc",
+	}
+	for k, v := range kases {
+		assert.EqualValues(t, v, cleanUploadFileName(k))
+	}
+}
