jabuxas/abyss
jabuxas/abyss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 4 Wiki Activity

fix: being able to access a file if someone knows app.filesDir

Browse Source
This commit is contained in:
jabuxas 2025-02-10 16:41:29 -03:00
parent cd843ccc11
commit 034882c0e5
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
handlers.go
View File

@ -110,7 +110,7 @@ func (app *Application) indexHandler(w http.ResponseWriter, r *http.Request) {
name := filepath.Base(r.URL.Path) name := filepath.Base(r.URL.Path)
realPath := filepath.Join(app.filesDir, name) realPath := filepath.Join(app.filesDir, name)
if !filepath.IsLocal(realPath) { if !filepath.IsLocal(realPath) || strings.Contains(r.URL.Path, filepath.Clean(app.filesDir)) {
http.Error(w, "Wrong url", http.StatusBadRequest) http.Error(w, "Wrong url", http.StatusBadRequest)
return return
} }