Skip to content

Commit

Permalink
Do not allow double dot in url (#174)
Browse files Browse the repository at this point in the history
  • Loading branch information
@yaacov
yaacov authored Jun 26, 2018
1 parent 199d3e5 commit e4a6840
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/server/handlers/static.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"net/http"
"os"
"path/filepath"
"strings"
)

// Static handler to serve static file
Expand All @@ -39,6 +40,13 @@ func (s *Static) SetNext(h http.Handler) {
func (s Static) ServeHTTP(w http.ResponseWriter, r *http.Request) {
path := s.MediaPath + r.URL.EscapedPath()

// Check for ".." in the url path,
// if we find ".." in the path we will not serve static files
if strings.Contains(path, "..") {
s.next.ServeHTTP(w, r)
return
}

// Add index.html to path if it ends with /
if path[len(path)-1:] == "/" {
path = path + "index.html"
Expand Down

0 comments on commit e4a6840

Please sign in to comment.