Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Patch for mpd tag v0.19.9 that allows unauthenticated users to enque files using the `file://' url scheme as long as the MPD daemon is able to read the files.
diff --git a/src/client/ClientFile.cxx b/src/client/ClientFile.cxx
index 3ea8034..0f75907 100644
--- a/src/client/ClientFile.cxx
+++ b/src/client/ClientFile.cxx
@@ -33,32 +33,23 @@ Client::AllowFile(Path path_fs, Error &error) const
#ifdef WIN32
(void)path_fs;
- error.Set(ack_domain, ACK_ERROR_PERMISSION, "Access denied");
+ error.Set(ack_domain, ACK_ERROR_PERMISSION, "Not Implemented.");
return false;
#else
- if (uid >= 0 && (uid_t)uid == geteuid())
- /* always allow access if user runs his own MPD
- instance */
- return true;
-
- if (uid < 0) {
- /* unauthenticated client */
- error.Set(ack_domain, ACK_ERROR_PERMISSION, "Access denied");
- return false;
- }
-
struct stat st;
if (!StatFile(path_fs, st)) {
error.SetErrno();
return false;
}
- if (st.st_uid != (uid_t)uid && (st.st_mode & 0444) != 0444) {
- /* client is not owner */
- error.Set(ack_domain, ACK_ERROR_PERMISSION, "Access denied");
- return false;
- }
-
- return true;
+ /* Check if the file itself is readable. */
+ if ((geteuid() == st.st_uid && (st.st_mode & 0400) == 0400) ||
+ (getegid() == st.st_gid && (st.st_mode & 0040) == 0040) ||
+ ((st.st_mode & 0004) == 0004)) {
+ return true;
+ }
+ /* Otherwise, we can't read these files. */
+ error.Set(ack_domain, ACK_ERROR_PERMISSION, "Access denied.");
+ return false;
#endif
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment