minor

aliases.go

@@ -4,7 +4,6 @@ import (
 	"io/fs"
 	"net/http"
 	"net/url"
-	"path"
 	"regexp"
 	"strings"
 	"time"
@@ -326,7 +325,7 @@ type prefixedDir struct {
 }
 
 func (p *prefixedDir) Open(name string) (http.File, error) {
-	destPath, filename, ok, err := context.SafeFilename(p.prefix, name)
+	destPath, _, ok, err := context.SafeFilename(p.prefix, name)
 	if err != nil {
 		return nil, err
 	}
@@ -334,8 +333,8 @@ func (p *prefixedDir) Open(name string) (http.File, error) {
 		return nil, http.ErrMissingFile // unsafe.
 	}
 
-	name = path.Join(destPath, filename)
+	//	name = path.Join(destPath, filename)
-	return p.fs.Open(name)
+	return p.fs.Open(destPath)
 }
 
 type partyConfiguratorMiddleware struct {

context/context.go

@@ -2418,19 +2418,22 @@ func SafeFilename(prefixDir string, name string) (string, string, bool, error) {
 		return prefixDir, name, false, nil
 	}
 
-	// Join the sanitized input with the destination directory.
+	var destPath string
-	destPath := filepath.Join(prefixDir, filename)
+	if prefixDir != "" {
+		// Join the sanitized input with the destination directory.
+		destPath = filepath.Join(prefixDir, filename)
 
-	// Get the canonical path of the destination directory.
+		// Get the canonical path of the destination directory.
-	canonicalDestDir, err := filepath.EvalSymlinks(prefixDir) // the prefix dir should exists.
+		canonicalDestDir, err := filepath.EvalSymlinks(prefixDir) // the prefix dir should exists.
-	if err != nil {
+		if err != nil {
-		return prefixDir, name, false, fmt.Errorf("dest directory: %s: eval symlinks: %w", prefixDir, err)
+			return prefixDir, name, false, fmt.Errorf("dest directory: %s: eval symlinks: %w", prefixDir, err)
-	}
+		}
 
-	// Check if the destination path is within the destination directory.
+		// Check if the destination path is within the destination directory.
-	if !strings.HasPrefix(destPath, canonicalDestDir) {
+		if !strings.HasPrefix(destPath, canonicalDestDir) {
-		// Reject the input as it is a path traversal attempt.
+			// Reject the input as it is a path traversal attempt.
-		return prefixDir, name, false, nil
+			return prefixDir, name, false, nil
+		}
 	}
 
 	return destPath, filename, true, nil

context/fs.go

@@ -134,7 +134,15 @@ var ResolveHTTPFS = func(fsOrDir interface{}) http.FileSystem {
 // FindNames accepts a "http.FileSystem" and a root name and returns
 // the list containing its file names.
 func FindNames(fileSystem http.FileSystem, name string) ([]string, error) {
-	f, err := fileSystem.Open(name)
+	_, filename, ok, err := SafeFilename("", name)
+	if err != nil {
+		return nil, err
+	}
+	if !ok {
+		return nil, fmt.Errorf("invalid file name: %s", name)
+	}
+
+	f, err := fileSystem.Open(filename)
 	if err != nil {
 		return nil, err
 	}
@@ -160,8 +168,8 @@ func FindNames(fileSystem http.FileSystem, name string) ([]string, error) {
 		// Note:
 		// go-bindata has absolute names with os.Separator,
 		// http.Dir the basename.
-		filename := toBaseName(info.Name())
+		baseFilename := toBaseName(info.Name())
-		fullname := path.Join(name, filename)
+		fullname := path.Join(name, baseFilename)
 		if fullname == name { // prevent looping through itself.
 			continue
 		}