rpms / grafana

Clone
Source Code
GIT

Blame SOURCES/006-CVE-2020-13379.patch

c8 c8-beta c8s c9 c9-beta
  1.   98a961dc6d4b4afca71295f529390a7ae60145ff
  2.   SOURCES
  3.   006-CVE-2020-13379.patch
Blob History Raw
98a961 
diff --git a/pkg/api/avatar/avatar.go b/pkg/api/avatar/avatar.go
98a961 
--- a/pkg/api/avatar/avatar.go
98a961 
+++ b/pkg/api/avatar/avatar.go
98a961 
@@ -17,14 +17,15 @@ import (
98a961 
 	"net/http"
98a961 
 	"net/url"
98a961 
 	"path/filepath"
98a961 
+	"regexp"
98a961 
 	"strconv"
98a961 
 	"strings"
98a961 
 	"sync"
98a961 
 	"time"
98a961
98a961 
 	"github.com/grafana/grafana/pkg/infra/log"
98a961 
+	"github.com/grafana/grafana/pkg/models"
98a961 
 	"github.com/grafana/grafana/pkg/setting"
98a961 
-	"gopkg.in/macaron.v1"
98a961
98a961 
 	gocache "github.com/patrickmn/go-cache"
98a961 
 )
98a961 
@@ -97,9 +98,15 @@ type CacheServer struct {
98a961 
 	cache    *gocache.Cache
98a961 
 }
98a961
98a961 
-func (this *CacheServer) Handler(ctx *macaron.Context) {
98a961 
-	urlPath := ctx.Req.URL.Path
98a961 
-	hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
98a961 
+var validMD5 = regexp.MustCompile("^[a-fA-F0-9]{32}$")
98a961 
+
98a961 
+func (this *CacheServer) Handler(ctx *models.ReqContext) {
98a961 
+	hash := ctx.Params("hash")
98a961 
+
98a961 
+	if len(hash) != 32 || !validMD5.MatchString(hash) {
98a961 
+		ctx.JsonApiErr(404, "Avatar not found", nil)
98a961 
+		return
98a961 
+	}
98a961
98a961 
 	var avatar *Avatar
98a961

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation