add some comments about path sanitisation

This commit is contained in:
Richard van der Hoff 2017-04-06 12:16:28 +01:00
parent 22839aec6e
commit 16ce63c208

View file

@ -46,7 +46,11 @@ func (f *logServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// eliminate ., .., //, etc // eliminate ., .., //, etc
upath = path.Clean(upath) upath = path.Clean(upath)
// reject some dodgy paths // reject some dodgy paths. This is based on the code for http.Dir.Open (see https://golang.org/src/net/http/fs.go#L37).
//
// the check for '..' is a sanity-check because my understanding of `path.Clean` is that it should never return
// a value including '..' for input starting with '/'. It's taken from the code for http.ServeFile
// (https://golang.org/src/net/http/fs.go#L637).
if containsDotDot(upath) || strings.Contains(upath, "\x00") || (filepath.Separator != '/' && strings.IndexRune(upath, filepath.Separator) >= 0) { if containsDotDot(upath) || strings.Contains(upath, "\x00") || (filepath.Separator != '/' && strings.IndexRune(upath, filepath.Separator) >= 0) {
http.Error(w, "invalid URL path", http.StatusBadRequest) http.Error(w, "invalid URL path", http.StatusBadRequest)
return return