Mirrors/kararas_iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-12-18 10:27:06 +00:00
Code Releases Activity

minor

Browse Source
This commit is contained in:
Gerasimos (Makis) Maropoulos
2024-04-24 18:25:24 +03:00
parent 6167d3ed6b
commit d88273ab55
3 changed files with 28 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
context/context.go
View File

@@ -2418,19 +2418,22 @@ func SafeFilename(prefixDir string, name string) (string, string, bool, error) {
return prefixDir, name, false, nil
}
// Join the sanitized input with the destination directory.
destPath := filepath.Join(prefixDir, filename)
var destPath string
if prefixDir != "" {
// Join the sanitized input with the destination directory.
destPath = filepath.Join(prefixDir, filename)
// Get the canonical path of the destination directory.
canonicalDestDir, err := filepath.EvalSymlinks(prefixDir) // the prefix dir should exists.
if err != nil {
return prefixDir, name, false, fmt.Errorf("dest directory: %s: eval symlinks: %w", prefixDir, err)
}
// Get the canonical path of the destination directory.
canonicalDestDir, err := filepath.EvalSymlinks(prefixDir) // the prefix dir should exists.
if err != nil {
return prefixDir, name, false, fmt.Errorf("dest directory: %s: eval symlinks: %w", prefixDir, err)
}
// Check if the destination path is within the destination directory.
if !strings.HasPrefix(destPath, canonicalDestDir) {
// Reject the input as it is a path traversal attempt.
return prefixDir, name, false, nil
// Check if the destination path is within the destination directory.
if !strings.HasPrefix(destPath, canonicalDestDir) {
// Reject the input as it is a path traversal attempt.
return prefixDir, name, false, nil
}
}
return destPath, filename, true, nil