From d045588f048cfdb6bcdd36dcd1cdbe38318fd39a Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@helsinki.at>
Date: Fri, 18 Dec 2015 00:52:49 +0100
Subject: local:// sanitzes path now


diff --git a/conf.go b/conf.go
index 2386ba9..5f22782 100644
--- a/conf.go
+++ b/conf.go
@@ -43,6 +43,7 @@ type Config struct {
 	db_user         string
 	db_passwd       string
 	db_db           string
+	LocalFetchDir   string
 	ImportParamDefaults
 }
 
@@ -67,7 +68,7 @@ func (self *Config) read_config_file() error {
 	return nil
 }
 
-func NewConfig(configfile, rdxport_endpoint, temp_dir *string) (conf *Config, err error) {
+func NewConfig(configfile, rdxport_endpoint, temp_dir, local_fetch_dir *string) (conf *Config, err error) {
 	conf = new(Config)
 	conf.configfile = *configfile
 	if err = conf.read_config_file(); err != nil {
@@ -75,6 +76,7 @@ func NewConfig(configfile, rdxport_endpoint, temp_dir *string) (conf *Config, er
 	}
 	conf.RDXportEndpoint = *rdxport_endpoint
 	conf.TempDir = *temp_dir
+	conf.LocalFetchDir = *local_fetch_dir
 	conf.ImportParamDefaults.Channels = 2
 	conf.ImportParamDefaults.NormalizationLevel = -12
 	conf.ImportParamDefaults.AutotrimLevel = 0
diff --git a/fetcher.go b/fetcher.go
index 38e1d7f..fed51bf 100644
--- a/fetcher.go
+++ b/fetcher.go
@@ -32,6 +32,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 )
 
@@ -129,19 +130,18 @@ func FetchFileCurl(ctx *ImportContext, uri *url.URL) (err error) {
 	return
 }
 
-// TODO: check path to import from -> don't touch problematic files like /etc/shadow...
-//       the daemon shouldn't be running as a user who can do any harm anyway
-//       still: let's make a special configurable directory the local:/// dir
-//              and only allow absolute paths here which will be based on the
-//              'local' directory
-// TODO: also check if file exists and is accessable!!! otherwise curl will blow up
-//       with a not-easy-to-understand error
 func FetchFileLocal(ctx *ImportContext, uri *url.URL) (err error) {
 	rhl.Printf("Local fetcher called for '%s'", ctx.SourceUri)
 	if ctx.ProgressCallBack != nil {
 		ctx.ProgressCallBack(1, "fetching", 1.0, ctx.ProgressCallBackData)
 	}
-	ctx.SourceFile = uri.Path
+
+	ctx.SourceFile = filepath.Join(ctx.Config.LocalFetchDir, path.Clean("/"+uri.Path))
+	var src *os.File
+	if src, err = os.Open(ctx.SourceFile); err != nil {
+		return
+	}
+	defer src.Close()
 	ctx.DeleteSourceFile = false
 	ctx.DeleteSourceDir = false
 	return
@@ -182,7 +182,6 @@ func fetcher_init() {
 	}
 }
 
-// TODO: make sure a (partially) fetched file get's deleted on error
 func FetchFile(ctx *ImportContext) (err error) {
 
 	var uri *url.URL
-- 
cgit v0.10.2