mystiq/rageshake
Archived
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add some comments about path sanitisation

Browse source
This commit is contained in:
Richard van der Hoff 2017-04-06 12:16:28 +01:00
parent 22839aec6e
commit 16ce63c208
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/github.com/matrix-org/rageshake/logserver.go
View file

@ -46,7 +46,11 @@ func (f *logServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// eliminate ., .., //, etc // eliminate ., .., //, etc
upath = path.Clean(upath) upath = path.Clean(upath)
// reject some dodgy paths // reject some dodgy paths. This is based on the code for http.Dir.Open (see https://golang.org/src/net/http/fs.go#L37).
//
// the check for '..' is a sanity-check because my understanding of `path.Clean` is that it should never return
// a value including '..' for input starting with '/'. It's taken from the code for http.ServeFile
// (https://golang.org/src/net/http/fs.go#L637).
if containsDotDot(upath) || strings.Contains(upath, "\x00") || (filepath.Separator != '/' && strings.IndexRune(upath, filepath.Separator) >= 0) { if containsDotDot(upath) || strings.Contains(upath, "\x00") || (filepath.Separator != '/' && strings.IndexRune(upath, filepath.Separator) >= 0) {
http.Error(w, "invalid URL path", http.StatusBadRequest) http.Error(w, "invalid URL path", http.StatusBadRequest)
return return