diff options
| -rw-r--r-- | gogs.go | 2 | ||||
| -rw-r--r-- | pkg/tool/path.go | 4 | ||||
| -rw-r--r-- | pkg/tool/path_test.go | 1 | ||||
| -rw-r--r-- | templates/.VERSION | 2 |
4 files changed, 6 insertions, 3 deletions
@@ -16,7 +16,7 @@ import ( "github.com/gogs/gogs/pkg/setting" ) -const APP_VER = "0.11.81.1217" +const APP_VER = "0.11.82.1218" func init() { setting.AppVer = APP_VER diff --git a/pkg/tool/path.go b/pkg/tool/path.go index 3c0d2d02..528db86d 100644 --- a/pkg/tool/path.go +++ b/pkg/tool/path.go @@ -17,5 +17,7 @@ func IsSameSiteURLPath(url string) bool { // SanitizePath sanitizes user-defined file paths to prevent remote code execution. func SanitizePath(path string) string { - return strings.TrimLeft(path, "./") + path = strings.TrimLeft(path, "/") + path = strings.Replace(path, "../", "", -1) + return path } diff --git a/pkg/tool/path_test.go b/pkg/tool/path_test.go index c9e18294..9f3441b1 100644 --- a/pkg/tool/path_test.go +++ b/pkg/tool/path_test.go @@ -38,6 +38,7 @@ func Test_SanitizePath(t *testing.T) { expect string }{ {"../../../../../../../../../data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"}, + {"data/gogs/../../../../../../../../../data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"}, {"data/sessions/a/9/a9f0ab6c3ef63dd8", "data/sessions/a/9/a9f0ab6c3ef63dd8"}, } diff --git a/templates/.VERSION b/templates/.VERSION index da31b367..9f1b25ca 100644 --- a/templates/.VERSION +++ b/templates/.VERSION @@ -1 +1 @@ -0.11.81.1217 +0.11.82.1218 |