From 9dd138b03348f24a001d60f27e29c8c62af28871 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Mon, 4 Mar 2024 19:38:13 +0100 Subject: [PATCH] Only use local files (file://) when they have explicit permissions a+r Signed-off-by: DL6ER --- gravity.sh | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/gravity.sh b/gravity.sh index 62631e3c..86c7fc23 100755 --- a/gravity.sh +++ b/gravity.sh @@ -503,6 +503,7 @@ compareLists() { gravity_DownloadBlocklistFromUrl() { local url="${1}" adlistID="${2}" saveLocation="${3}" target="${4}" compression="${5}" local heisenbergCompensator="" listCurlBuffer str httpCode success="" ip cmd_ext + local file_path permissions ip_addr port blocked=false download=true # Create temp file to store content on disk instead of RAM # We don't use '--suffix' here because not all implementations of mktemp support it, e.g. on Alpine @@ -519,7 +520,6 @@ gravity_DownloadBlocklistFromUrl() { str="Status:" echo -ne " ${INFO} ${str} Pending..." - blocked=false case $BLOCKINGMODE in "IP-NODATA-AAAA"|"IP") # Get IP address of this domain @@ -560,8 +560,36 @@ gravity_DownloadBlocklistFromUrl() { cmd_ext="--resolve $domain:$port:$ip" fi - # shellcheck disable=SC2086 - httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression} ${cmd_ext} ${heisenbergCompensator} -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2> /dev/null) + # If we are going to "download" a local file, we first check if the target + # file has a+r permission. We explicitly check for all+read because we want + # to make sure that the file is readable by everyone and not just the user + # running the script. + if [[ $url == "file://"* ]]; then + # Get the file path + file_path=$(echo "$url" | cut -d'/' -f3-) + # Check if the file exists + if [[ ! -e $file_path ]]; then + # Output that the file does not exist + echo -e "${OVER} ${CROSS} ${file_path} does not exist" + download=false + else + # Check if the file has a+r permissions + permissions=$(stat -c "%a" "$file_path") + if [[ $permissions == "??4" || $permissions == "??5" || $permissions == "??6" || $permissions == "??7" ]]; then + # Output that we are using the local file + echo -e "${OVER} ${INFO} Using local file ${file_path}" + else + # Output that the file does not have the correct permissions + echo -e "${OVER} ${CROSS} Cannot read file (file needs to have a+r permission)" + download=false + fi + fi + fi + + if [[ "${download}" == true ]]; then + # shellcheck disable=SC2086 + httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression} ${cmd_ext} ${heisenbergCompensator} -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2> /dev/null) + fi case $url in # Did we "download" a local file? @@ -569,7 +597,7 @@ gravity_DownloadBlocklistFromUrl() { if [[ -s "${listCurlBuffer}" ]]; then echo -e "${OVER} ${TICK} ${str} Retrieval successful"; success=true else - echo -e "${OVER} ${CROSS} ${str} Not found / empty list" + echo -e "${OVER} ${CROSS} ${str} Retrieval failed / empty list" fi;; # Did we "download" a remote file? *)