pages/pages-server
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/pages-server.git synced 2025-04-19 03:26:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Security Fix: clean paths correctly to avoid circumvention of BlacklistedPaths

Browse source
This commit is contained in:
Moritz Marquardt 2023-08-27 10:13:15 +02:00
parent d720d25e42
commit 56d3e291c4
3 changed files with 72 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
server/utils/utils.go
View file

@ -1,6 +1,8 @@
package utils
import (
"net/url"
"path"
"strings"
)
@ -11,3 +13,15 @@ func TrimHostPort(host string) string {
}
return host
}
func CleanPath(uriPath string) string {
unescapedPath, _ := url.PathUnescape(uriPath)
cleanedPath := path.Join("/", unescapedPath)
// If the path refers to a directory, add a trailing slash.
if !strings.HasSuffix(cleanedPath, "/") && (strings.HasSuffix(unescapedPath, "/") || strings.HasSuffix(unescapedPath, "/.") || strings.HasSuffix(unescapedPath, "/..")) {
cleanedPath += "/"
}
return cleanedPath
}