diff options
| author | Unknwon <u@gogs.io> | 2018-12-18 01:38:08 -0500 |
|---|---|---|
| committer | Unknwon <u@gogs.io> | 2018-12-18 01:38:08 -0500 |
| commit | ff93d9dbda5cebe90d86e4b7dfb2c6b8642970ce (patch) | |
| tree | ab40d87ca0b61ebbc47da72bd6b87f1bad17100c /pkg | |
| parent | 86ada875296eb81ffd902f976eedee9ea0f19859 (diff) | |
pkg/tool: improve SanitizePath (#5558)
Diffstat (limited to 'pkg')
| -rw-r--r-- | pkg/tool/path.go | 4 | ||||
| -rw-r--r-- | pkg/tool/path_test.go | 1 |
2 files changed, 4 insertions, 1 deletions
diff --git a/pkg/tool/path.go b/pkg/tool/path.go index 3c0d2d02..528db86d 100644 --- a/pkg/tool/path.go +++ b/pkg/tool/path.go @@ -17,5 +17,7 @@ func IsSameSiteURLPath(url string) bool { // SanitizePath sanitizes user-defined file paths to prevent remote code execution. func SanitizePath(path string) string { - return strings.TrimLeft(path, "./") + path = strings.TrimLeft(path, "/") + path = strings.Replace(path, "../", "", -1) + return path } diff --git a/pkg/tool/path_test.go b/pkg/tool/path_test.go index c9e18294..9f3441b1 100644 --- a/pkg/tool/path_test.go +++ b/pkg/tool/path_test.go @@ -38,6 +38,7 @@ func Test_SanitizePath(t *testing.T) { expect string }{ {"../../../../../../../../../data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"}, + {"data/gogs/../../../../../../../../../data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"}, {"data/sessions/a/9/a9f0ab6c3ef63dd8", "data/sessions/a/9/a9f0ab6c3ef63dd8"}, } |