fix: being able to access a file if someone knows app.filesDir

2025-02-10 16:41:29 -03:00 · 2025-02-10 16:41:29 -03:00 · 034882c0e5
commit 034882c0e5
parent cd843ccc11
1 changed files with 1 additions and 1 deletions
--- a/handlers.go
+++ b/handlers.go
@ -110,7 +110,7 @@ func (app *Application) indexHandler(w http.ResponseWriter, r *http.Request) {
 	name := filepath.Base(r.URL.Path)
 	realPath := filepath.Join(app.filesDir, name)

-	if !filepath.IsLocal(realPath) {
+	if !filepath.IsLocal(realPath) || strings.Contains(r.URL.Path, filepath.Clean(app.filesDir)) {
 		http.Error(w, "Wrong url", http.StatusBadRequest)
 		return
 	}