Skip to content

Commit

Permalink
feat(): sanitize '/' path properly
Browse files Browse the repository at this point in the history
  • Loading branch information
jabuxas committed Aug 19, 2024
1 parent b8ad1dd commit 2212962
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"net/http"
"os"
"path/filepath"
"strings"
"time"
)

Expand All @@ -28,7 +27,13 @@ func main() {
}

func fileHandler(w http.ResponseWriter, r *http.Request) {
path := filepath.Join(filesDir, strings.TrimPrefix(r.URL.Path, "/"))
name := filepath.Clean(r.URL.Path)
path := filepath.Join(filesDir, name)

if !filepath.IsLocal(path) {
http.Error(w, "Wrong url", http.StatusBadRequest)
return
}

if fileInfo, err := os.Stat(path); err == nil && !fileInfo.IsDir() {
http.ServeFile(w, r, path)
Expand Down

0 comments on commit 2212962

Please sign in to comment.