go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-02-02 15:30:36 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

minor

Browse Source
This commit is contained in:
Gerasimos (Makis) Maropoulos 2024-04-24 18:25:24 +03:00
parent 6167d3ed6b
commit d88273ab55
No known key found for this signature in database
GPG Key ID: D6032D1840F48BEC
3 changed files with 28 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
aliases.go
View File

@ -4,7 +4,6 @@ import (
"io/fs" "io/fs"
"net/http" "net/http"
"net/url" "net/url"
"path"
"regexp" "regexp"
"strings" "strings"
"time" "time"
@ -326,7 +325,7 @@ type prefixedDir struct {
} }
func (p *prefixedDir) Open(name string) (http.File, error) { func (p *prefixedDir) Open(name string) (http.File, error) {
destPath, filename, ok, err := context.SafeFilename(p.prefix, name) destPath, _, ok, err := context.SafeFilename(p.prefix, name)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -334,8 +333,8 @@ func (p *prefixedDir) Open(name string) (http.File, error) {
return nil, http.ErrMissingFile // unsafe. return nil, http.ErrMissingFile // unsafe.
} }
name = path.Join(destPath, filename) // name = path.Join(destPath, filename)
return p.fs.Open(name) return p.fs.Open(destPath)
} }
type partyConfiguratorMiddleware struct { type partyConfiguratorMiddleware struct {

5
context/context.go
View File

@ -2418,8 +2418,10 @@ func SafeFilename(prefixDir string, name string) (string, string, bool, error) {
return prefixDir, name, false, nil return prefixDir, name, false, nil
} }
var destPath string
if prefixDir != "" {
// Join the sanitized input with the destination directory. // Join the sanitized input with the destination directory.
destPath := filepath.Join(prefixDir, filename) destPath = filepath.Join(prefixDir, filename)
// Get the canonical path of the destination directory. // Get the canonical path of the destination directory.
canonicalDestDir, err := filepath.EvalSymlinks(prefixDir) // the prefix dir should exists. canonicalDestDir, err := filepath.EvalSymlinks(prefixDir) // the prefix dir should exists.
@ -2432,6 +2434,7 @@ func SafeFilename(prefixDir string, name string) (string, string, bool, error) {
// Reject the input as it is a path traversal attempt. // Reject the input as it is a path traversal attempt.
return prefixDir, name, false, nil return prefixDir, name, false, nil
} }
}
return destPath, filename, true, nil return destPath, filename, true, nil
} }

14
context/fs.go
View File

@ -134,7 +134,15 @@ var ResolveHTTPFS = func(fsOrDir interface{}) http.FileSystem {
// FindNames accepts a "http.FileSystem" and a root name and returns // FindNames accepts a "http.FileSystem" and a root name and returns
// the list containing its file names. // the list containing its file names.
func FindNames(fileSystem http.FileSystem, name string) ([]string, error) { func FindNames(fileSystem http.FileSystem, name string) ([]string, error) {
f, err := fileSystem.Open(name) _, filename, ok, err := SafeFilename("", name)
if err != nil {
return nil, err
}
if !ok {
return nil, fmt.Errorf("invalid file name: %s", name)
}
f, err := fileSystem.Open(filename)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -160,8 +168,8 @@ func FindNames(fileSystem http.FileSystem, name string) ([]string, error) {
// Note: // Note:
// go-bindata has absolute names with os.Separator, // go-bindata has absolute names with os.Separator,
// http.Dir the basename. // http.Dir the basename.
filename := toBaseName(info.Name()) baseFilename := toBaseName(info.Name())
fullname := path.Join(name, filename) fullname := path.Join(name, baseFilename)
if fullname == name { // prevent looping through itself. if fullname == name { // prevent looping through itself.
continue continue
} }