Reject requests containing '..' in them

2020-09-26 17:13:13 -04:00 · 2020-09-26 17:13:13 -04:00 · a1a2523c5c
commit a1a2523c5c
parent ceb40a2fab
1 changed files with 21 additions and 0 deletions
--- a/server.go
+++ b/server.go
@ -264,6 +264,7 @@ type ServeDir struct {
 }

 // FileServer takes a filesystem and returns a handler which uses that filesystem.
+// The returned Handler rejects requests containing '..' in them.
 func FileServer(fsys FS) Handler {
 	return fsHandler{
 		fsys,
@ -275,6 +276,12 @@ type fsHandler struct {
 }

 func (fsys fsHandler) Serve(rw *ResponseWriter, req *Request) {
+	if containsDotDot(req.URL.Path) {
+		// Reject requests with '..' in them
+		rw.WriteHeader(StatusBadRequest, "Invalid URL path")
+		return
+	}
+
 	// FIXME: Don't serve paths with .. in them
 	f, err := fsys.Open(req.URL.Path)
 	if err != nil {
@ -288,6 +295,20 @@ func (fsys fsHandler) Serve(rw *ResponseWriter, req *Request) {
 	io.Copy(rw, f)
 }

+func containsDotDot(v string) bool {
+	if !strings.Contains(v, "..") {
+		return false
+	}
+	for _, ent := range strings.FieldsFunc(v, isSlashRune) {
+		if ent == ".." {
+			return true
+		}
+	}
+	return false
+}
+
+func isSlashRune(r rune) bool { return r == '/' || r == '\\' }
+
 // TODO: replace with fs.FS when available
 type FS interface {
 	Open(name string) (File, error)