File CVE-2021-39226.patch of Package grafana
From c5bda8b9dd5439456007acb14982b3220e0f7ea3 Mon Sep 17 00:00:00 2001
From: Darragh O'Reilly <doreilly@suse.com>
Date: Mon, 5 Sep 2022 15:12:30 +0100
Subject: [PATCH] Fix static path matching issue in macaron
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269
---
pkg/api/dashboard_snapshot.go | 10 ++++++++++
vendor/gopkg.in/macaron.v1/router.go | 10 ++++++----
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go
index eeda6ec3b1..798adabb68 100644
--- a/pkg/api/dashboard_snapshot.go
+++ b/pkg/api/dashboard_snapshot.go
@@ -138,6 +138,10 @@ func CreateDashboardSnapshot(c *models.ReqContext, cmd models.CreateDashboardSna
// GET /api/snapshots/:key
func GetDashboardSnapshot(c *models.ReqContext) {
key := c.Params(":key")
+ if len(key) == 0 {
+ c.JsonApiErr(404, "Snapshot not found", nil)
+ return
+ }
query := &models.GetDashboardSnapshotQuery{Key: key}
err := bus.Dispatch(query)
@@ -200,6 +204,9 @@ func deleteExternalDashboardSnapshot(externalUrl string) error {
// GET /api/snapshots-delete/:deleteKey
func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) Response {
key := c.Params(":deleteKey")
+ if len(key) == 0 {
+ return Error(404, "Snapshot not found", nil)
+ }
query := &models.GetDashboardSnapshotQuery{DeleteKey: key}
@@ -227,6 +234,9 @@ func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) Response {
// DELETE /api/snapshots/:key
func DeleteDashboardSnapshot(c *models.ReqContext) Response {
key := c.Params(":key")
+ if len(key) == 0 {
+ return Error(404, "Snapshot not found", nil)
+ }
query := &models.GetDashboardSnapshotQuery{Key: key}
diff --git a/vendor/gopkg.in/macaron.v1/router.go b/vendor/gopkg.in/macaron.v1/router.go
index df593d669a..46cb0c160f 100644
--- a/vendor/gopkg.in/macaron.v1/router.go
+++ b/vendor/gopkg.in/macaron.v1/router.go
@@ -289,10 +289,12 @@ func (r *Router) SetHandlerWrapper(f func(Handler) Handler) {
func (r *Router) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
if t, ok := r.routers[req.Method]; ok {
// Fast match for static routes
- leaf := r.getLeaf(req.Method, req.URL.Path)
- if leaf != nil {
- leaf.handle(rw, req, nil)
- return
+ if !strings.ContainsAny(req.URL.Path, ":*") {
+ leaf := r.getLeaf(req.Method, req.URL.Path)
+ if leaf != nil {
+ leaf.handle(rw, req, nil)
+ return
+ }
}
h, p, ok := t.Match(req.URL.EscapedPath())
--
2.35.3