diff options
| author | adnano <[email protected]> | 2020-09-26 17:13:13 -0400 |
|---|---|---|
| committer | adnano <[email protected]> | 2020-09-26 17:13:13 -0400 |
| commit | a1a2523c5c1981c2f5494d3e44f5c1dcf681209a (patch) | |
| tree | 564b0b19ffedd6b73a39204d3e2211eccc0a92b7 /server.go | |
| parent | Implement default client (diff) | |
| download | go-gemini-a1a2523c5c1981c2f5494d3e44f5c1dcf681209a.tar.xz go-gemini-a1a2523c5c1981c2f5494d3e44f5c1dcf681209a.zip | |
Reject requests containing '..' in them
Diffstat (limited to 'server.go')
| -rw-r--r-- | server.go | 21 |
1 files changed, 21 insertions, 0 deletions
@@ -264,6 +264,7 @@ type ServeDir struct { } // FileServer takes a filesystem and returns a handler which uses that filesystem. +// The returned Handler rejects requests containing '..' in them. func FileServer(fsys FS) Handler { return fsHandler{ fsys, @@ -275,6 +276,12 @@ type fsHandler struct { } func (fsys fsHandler) Serve(rw *ResponseWriter, req *Request) { + if containsDotDot(req.URL.Path) { + // Reject requests with '..' in them + rw.WriteHeader(StatusBadRequest, "Invalid URL path") + return + } + // FIXME: Don't serve paths with .. in them f, err := fsys.Open(req.URL.Path) if err != nil { @@ -288,6 +295,20 @@ func (fsys fsHandler) Serve(rw *ResponseWriter, req *Request) { io.Copy(rw, f) } +func containsDotDot(v string) bool { + if !strings.Contains(v, "..") { + return false + } + for _, ent := range strings.FieldsFunc(v, isSlashRune) { + if ent == ".." { + return true + } + } + return false +} + +func isSlashRune(r rune) bool { return r == '/' || r == '\\' } + // TODO: replace with fs.FS when available type FS interface { Open(name string) (File, error) |