Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix BUG: /abc.html/aaa match /abc/aaa
  • Loading branch information
flycash committed Jan 25, 2021
1 parent d7a918f commit d5df5e4
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
@@ -1,4 +1,5 @@
# developing
- Fix: /abc.html/aaa match /abc/aaa. [4459](https://github.com/beego/beego/pull/4459)
- ORM mock. [4407](https://github.com/beego/beego/pull/4407)
- Add sonar check and ignore test. [4432](https://github.com/beego/beego/pull/4432) [4433](https://github.com/beego/beego/pull/4433)
- Update changlog.yml to check every PR to develop branch.[4427](https://github.com/beego/beego/pull/4427)
Expand Down
3 changes: 2 additions & 1 deletion server/web/tree.go
Expand Up @@ -342,8 +342,9 @@ func (t *Tree) match(treePattern string, pattern string, wildcardValues []string
if runObject == nil && len(t.fixrouters) > 0 {
// Filter the .json .xml .html extension
for _, str := range allowSuffixExt {
if strings.HasSuffix(seg, str) {
if strings.HasSuffix(seg, str) && strings.HasSuffix(treePattern, seg){
for _, subTree := range t.fixrouters {
// strings.HasSuffix(treePattern, seg) avoid cases: /aaa.html/bbb could access /aaa/bbb
if subTree.prefix == seg[:len(seg)-len(str)] {
runObject = subTree.match(treePattern, pattern, wildcardValues, ctx)
if runObject != nil {
Expand Down
19 changes: 16 additions & 3 deletions server/web/tree_test.go
Expand Up @@ -17,6 +17,7 @@ package web
import (
"strings"
"testing"
"time"

"github.com/beego/beego/v2/server/web/context"
)
Expand Down Expand Up @@ -49,7 +50,7 @@ func notMatchTestInfo(pattern, url string) testInfo {
}

func init() {
routers = make([]testInfo, 0)
routers = make([]testInfo, 0, 128)
// match example
routers = append(routers, matchTestInfo("/topic/?:auth:int", "/topic", nil))
routers = append(routers, matchTestInfo("/topic/?:auth:int", "/topic/123", map[string]string{":auth": "123"}))
Expand Down Expand Up @@ -108,12 +109,23 @@ func init() {
routers = append(routers, notMatchTestInfo("/read_:id:int\\.htm", "/read_222_htm"))
routers = append(routers, notMatchTestInfo("/read_:id:int\\.htm", " /read_262shtm"))

// test .html, .json not suffix
const abcHtml = "/suffix/abc.html"
routers = append(routers, notMatchTestInfo(abcHtml, "/suffix.html/abc"))
routers = append(routers, matchTestInfo("/suffix/abc", abcHtml, nil))
routers = append(routers, matchTestInfo("/suffix/*", abcHtml, nil))
routers = append(routers, notMatchTestInfo("/suffix/*", "/suffix.html/a"))
const abcSuffix = "/abc/suffix/*"
routers = append(routers, notMatchTestInfo(abcSuffix, "/abc/suffix.html/a"))
routers = append(routers, matchTestInfo(abcSuffix, "/abc/suffix/a", nil))
routers = append(routers, notMatchTestInfo(abcSuffix, "/abc.j/suffix/a"))

}

func TestTreeRouters(t *testing.T) {
for _, r := range routers {
shouldMatch := r.shouldMatchOrNot

shouldMatch := r.shouldMatchOrNot
tr := NewTree()
tr.AddRouter(r.pattern, "astaxie")
ctx := context.NewContext()
Expand All @@ -122,7 +134,7 @@ func TestTreeRouters(t *testing.T) {
if obj != nil {
t.Fatal("pattern:", r.pattern, ", should not match", r.requestUrl)
} else {
return
continue
}
}
if obj == nil || obj.(string) != "astaxie" {
Expand All @@ -138,6 +150,7 @@ func TestTreeRouters(t *testing.T) {
}
}
}
time.Sleep(time.Second)
}

func TestStaticPath(t *testing.T) {
Expand Down

4 comments on commit d5df5e4

@y0unge
Copy link

@y0unge y0unge commented on d5df5e4 Apr 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jianzhiyao
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2021-30080

Hi ,@y0unge Can you describe how to replay the bug?
I'm a team member of beego.
My email is jianzhiyao020@gmail.com

@astaxie
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@y0unge
Copy link

@y0unge y0unge commented on d5df5e4 Oct 11, 2022 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.