fix(serverHandler/upload): ignore file whose path is alias-shadowed

Author: marjune163

src/serverHandler/upload.go

@@ -98,6 +98,16 @@ func (h *handler) saveUploadFiles(fsPrefix string, createDir, overwriteExists bo
 				continue
 			}
 
+			fsInfixPart1 := fsInfix
+			fsInfixSlashIndex := strings.IndexByte(fsInfixPart1, '/')
+			if fsInfixSlashIndex > 0 {
+				fsInfixPart1 = fsInfixPart1[0:fsInfixSlashIndex]
+			}
+			if containsItem(aliasSubItems, fsInfixPart1) {
+				errs = append(errs, errors.New("upload: ignore path shadowed by alias "+fsInfix))
+				continue
+			}
+
 			filePrefix += "/" + fsInfix
 			err := os.MkdirAll(filePrefix, 0755)
 			if err != nil {
@@ -114,7 +124,7 @@ func (h *handler) saveUploadFiles(fsPrefix string, createDir, overwriteExists bo
 			continue
 		}
 
-		isFilenameAliased := containsItem(aliasSubItems, filename)
+		isFilenameAliased := len(fsInfix) == 0 && containsItem(aliasSubItems, filename)
 		var fsFilename string
 		if overwriteExists && !isFilenameAliased {
 			tryPath := filePrefix + "/" + filename

test/case/011.alias.upload.bash

@@ -2,11 +2,12 @@
 
 cleanup() {
 	rm -f "$fs"/uploaded/2/*.tmp
+	rm -fr "$fs"/vhost1/my*
 }
 
 source "$root"/lib.bash
 
-"$ghfs" -l 3003 -r "$fs"/vhost1 --alias :/my/upload:"$fs"/uploaded/2 --upload /my/upload &
+"$ghfs" -l 3003 -r "$fs"/vhost1 --alias :/my/upload:"$fs"/uploaded/2 --upload / --mkdir / &> /dev/null &
 sleep 0.05 # wait server ready
 cleanup
 
@@ -20,5 +21,17 @@ curl_upload_content 'http://127.0.0.1:3003/my/upload?upload' file "$content" 'te
 uploaded=$(cat "$fs"/uploaded/2/uploaded2.tmp)
 assert "$uploaded" "$content"
 
+curl_upload_content 'http://127.0.0.1:3003/?upload' file mycontent my
+[ -e "$fs"/vhost1/my ] && fail "$fs/vhost1/my should not exists"
+
+curl_upload_content 'http://127.0.0.1:3003/?upload' file mycontent 'dir/to/my'
+[ -e "$fs"/vhost1/my ] && fail "$fs/vhost1/my should not exists"
+
+curl_upload_content 'http://127.0.0.1:3003/?upload' dirfile mycontent 'my/myfile'
+[ -e "$fs"/vhost1/my ] && fail "$fs/vhost1/my should not exists"
+
+curl_upload_content 'http://127.0.0.1:3003/?upload' dirfile mycontent 'my/mydir/file'
+[ -e "$fs"/vhost1/my ] && fail "$fs/vhost1/my should not exists"
+
 cleanup
 jobs -p | xargs kill