Use path.Clean to eliminate path traversal (#12)

moexmen · Feb 5, 2018 · 9124d8c · 9124d8c
1 parent becaa02
commit 9124d8c
Showing 1 changed file with 2 additions and 23 deletions.
diff --git a/web/fileserver.go b/web/fileserver.go
@@ -3,7 +3,7 @@ package web
 import (
 	"net/http"
 	"os"
-	"strings"
+	"path"
 )
 
 type fileHandler struct {
@@ -33,32 +33,11 @@ func FileServerHandler(root string, notFound http.HandlerFunc) http.Handler {
 }
 
 func (h fileHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if containsDotDot(r.URL.Path) {
-		h.NotFound(w, r)
-		return
-	}
-
-	name := h.Root + r.URL.Path
+	name := f.Root + path.Clean(r.URL.Path)
 	info, err := os.Stat(name)
 	if os.IsNotExist(err) || info.IsDir() {
 		h.NotFound(w, r)
 		return
 	}
 	http.ServeFile(w, r, name)
 }
-
-// This is copied from https://github.com/golang/go/blob/master/src/net/http/fs.go#L676
-func containsDotDot(v string) bool {
-	if !strings.Contains(v, "..") {
-		return false
-	}
-	for _, ent := range strings.FieldsFunc(v, isSlashRune) {
-		if ent == ".." {
-			return true
-		}
-	}
-	return false
-}
-
-// This is copied from https://github.com/golang/go/blob/master/src/net/http/fs.go#L688
-func isSlashRune(r rune) bool { return r == '/' || r == '\\' }