go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-01-23 02:31:04 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

minor

Browse Source
This commit is contained in:
Gerasimos (Makis) Maropoulos 2024-04-24 18:25:24 +03:00
parent 6167d3ed6b
commit d88273ab55
No known key found for this signature in database
GPG Key ID: D6032D1840F48BEC
3 changed files with 28 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
aliases.go
View File

@ -4,7 +4,6 @@ import (
"io/fs"
"net/http"
"net/url"
"path"
"regexp"
"strings"
"time"
@ -326,7 +325,7 @@ type prefixedDir struct {
}
func (p *prefixedDir) Open(name string) (http.File, error) {
destPath, filename, ok, err := context.SafeFilename(p.prefix, name)
destPath, _, ok, err := context.SafeFilename(p.prefix, name)
if err != nil {
return nil, err
}
@ -334,8 +333,8 @@ func (p *prefixedDir) Open(name string) (http.File, error) {
return nil, http.ErrMissingFile // unsafe.
}
name = path.Join(destPath, filename)
return p.fs.Open(name)
// name = path.Join(destPath, filename)
return p.fs.Open(destPath)
}
type partyConfiguratorMiddleware struct {

5
context/context.go
View File

@ -2418,8 +2418,10 @@ func SafeFilename(prefixDir string, name string) (string, string, bool, error) {
return prefixDir, name, false, nil
}
var destPath string
if prefixDir != "" {
// Join the sanitized input with the destination directory.
destPath := filepath.Join(prefixDir, filename)
destPath = filepath.Join(prefixDir, filename)
// Get the canonical path of the destination directory.
canonicalDestDir, err := filepath.EvalSymlinks(prefixDir) // the prefix dir should exists.
@ -2432,6 +2434,7 @@ func SafeFilename(prefixDir string, name string) (string, string, bool, error) {
// Reject the input as it is a path traversal attempt.
return prefixDir, name, false, nil
}
}
return destPath, filename, true, nil
}

14
context/fs.go
View File

@ -134,7 +134,15 @@ var ResolveHTTPFS = func(fsOrDir interface{}) http.FileSystem {
// FindNames accepts a "http.FileSystem" and a root name and returns
// the list containing its file names.
func FindNames(fileSystem http.FileSystem, name string) ([]string, error) {
f, err := fileSystem.Open(name)
_, filename, ok, err := SafeFilename("", name)
if err != nil {
return nil, err
}
if !ok {
return nil, fmt.Errorf("invalid file name: %s", name)
}
f, err := fileSystem.Open(filename)
if err != nil {
return nil, err
}
@ -160,8 +168,8 @@ func FindNames(fileSystem http.FileSystem, name string) ([]string, error) {
// Note:
// go-bindata has absolute names with os.Separator,
// http.Dir the basename.
filename := toBaseName(info.Name())
fullname := path.Join(name, filename)
baseFilename := toBaseName(info.Name())
fullname := path.Join(name, baseFilename)
if fullname == name { // prevent looping through itself.
continue
}