version: bump to 0.97.2

template: bugfix the default include path
template: prevent possible LFI given a template injection
2025-08-04 21:03:32 +02:00 · 2025-06-01 17:50:00 +02:00 · 2025-06-01 17:47:26 +02:00 · 2025-06-01 17:43:12 +02:00
2 changed files with 19 additions and 15 deletions
--- a/src/template.sh
+++ b/src/template.sh
@ -27,24 +27,26 @@ function render() {
 	# recursion is currently unsupported here, i feel like it may break things?
 	if [[ "$template" == *'{{#'* && "$3" != true ]]; then
 		local subtemplate=
-		while read key; do 
+		while read key; do
 			# below check prevents the loop loading itself as a template.
 			# this is possibly not enough to prevent all recursions, but
 			# i see it as a last-ditch measure. so it'll do here.
-			if [[ "$file" == "$tplfile" ]]; then
-				subtemplate+="s${_tpl_ctrl}\{\{\#$key\}\}${_tpl_ctrl}I cowardly refuse to endlessly recurse\!${_tpl_ctrl}g;"
-			# elif [[ -f "$key" ]]; then
-			else
-				local i
-				local IFS=''
+			local i
+			local IFS=''

-				_template_find_absolute_path "$key"
-				local input="$(tr -d "${_tpl_ctrl}${_tpl_newline}" < "$tplfile" | sed 's/\&/<2F>UwU<77>/g')"
-				garbage+="$input"$'\n'
-				input="$(tr $'\n' "${_tpl_newline}" <<< "$input")" # for another hack
-				subtemplate+="s${_tpl_ctrl}\{\{\#$key\}\}${_tpl_ctrl}${input}${_tpl_ctrl};"
-				_template_find_special_uri "$(cat "$tplfile")"
+			_old_tplfile="$tplfile"
+			_template_find_absolute_path "$key"
+			if [[ "$(realpath "$tplfile")" == "$_old_tplfile" ]]; then
+				subtemplate+="s${_tpl_ctrl}\{\{\#$key\}\}${_tpl_ctrl}I cowardly refuse to endlessly recurse\!${_tpl_ctrl}g;"
+				continue
 			fi
+			# don't even try to include files below httpsh's root
+			[[ "$(realpath "$tplfile")" != "$(dirname "$(realpath "${cfg[namespace]}")")"* ]] && continue
+			local input="$(tr -d "${_tpl_ctrl}${_tpl_newline}" < "$tplfile" | sed 's/\&/<2F>UwU<77>/g')"
+			garbage+="$input"$'\n'
+			input="$(tr $'\n' "${_tpl_newline}" <<< "$input")" # for another hack
+			subtemplate+="s${_tpl_ctrl}\{\{\#$key\}\}${_tpl_ctrl}${input}${_tpl_ctrl};"
+			_template_find_special_uri "$(cat "$tplfile")"
 		done <<< "$(grep -Poh '{{#\K(.*?)(?=}})' <<< "$template")"

 		buf+="${subtemplate}"
@ -138,8 +140,10 @@ function render() {
 #
 # _template_find_absolute_path(name) -> $tplfile
 _template_find_absolute_path() {
-	if [[ ! "${template_relative_paths}" || "$1" == /dev/stdin || "$1" == "/dev/fd/"* ]]; then
+	if [[ "$1" == /dev/stdin || "$1" == "/dev/fd/"* ]]; then
 		tplfile="$1"
+	elif [[ ! "${template_relative_paths}" ]]; then
+		tplfile="${cfg[namespace]}/$1"
 	else
 		for (( i=0; i<${#template_relative_paths[@]}; i++ )); do
 			if [[ -f "${template_relative_paths[i]}/$1" ]]; then
--- a/src/version.sh
+++ b/src/version.sh
@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-HTTPSH_VERSION=0.97.1
+HTTPSH_VERSION=0.97.2
Author	SHA1	Message	Date
sdomi	57ed8eadbf	version: bump to 0.97.2	2025-06-01 17:50:00 +02:00
sdomi	1801e05fd9	template: bugfix the default include path	2025-06-01 17:47:26 +02:00
sdomi	21f922f731	template: prevent possible LFI given a template injection we're now doing some extra work to sanitize paths in include keys.	2025-06-01 17:43:12 +02:00