diff --git a/README.md b/README.md index 205b00fb..fe079c5c 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,7 @@ ### News + * `v0.12.4` [released](https://docs.aahframework.org/release-notes.html) and tagged on Mar 03, 2020. * `v0.12.3` [released](https://docs.aahframework.org/release-notes.html) and tagged on Feb 06, 2019. * `v0.12.2` [released](https://docs.aahframework.org/release-notes.html) and tagged on Dec 13, 2018. * `v0.12.0` [released](https://docs.aahframework.org/release-notes.html) and tagged on Dec 02, 2018. diff --git a/http_engine.go b/http_engine.go index 92672301..1f9a8e4a 100644 --- a/http_engine.go +++ b/http_engine.go @@ -8,13 +8,14 @@ import ( "errors" "io" "net/http" + "path" "sync" "time" "aahframe.work/ahttp" "aahframe.work/ainsp" "aahframe.work/aruntime" - "aahframe.work/essentials" + ess "aahframe.work/essentials" "aahframe.work/internal/settings" "aahframe.work/log" "aahframe.work/security" @@ -80,6 +81,9 @@ func (e *HTTPEngine) Handle(w http.ResponseWriter, r *http.Request) { defer e.a.accessLog.Log(ctx) } + // Path Clean + r.URL.Path = path.Clean(r.URL.Path) + ctx.Req, ctx.Res = ahttp.AcquireRequest(r), ahttp.AcquireResponseWriter(w) // Recovery handling diff --git a/static.go b/static.go index cc477ed7..df35cfda 100644 --- a/static.go +++ b/static.go @@ -19,7 +19,7 @@ import ( "strings" "aahframe.work/ahttp" - "aahframe.work/essentials" + ess "aahframe.work/essentials" "aahframe.work/internal/util" "aahframe.work/vfs" ) @@ -166,6 +166,14 @@ func (s *staticManager) open(ctx *Context) (vfs.File, error) { filePath = parseCacheBustPart(ctx.Req.PathValue("filepath"), s.a.BuildInfo().Version) } + // path clean happens at http engine level also + // adding secondary check to disallow any access to + // config directory and its subtree + filePath = path.Join(ctx.route.Dir, filePath) + if strings.HasPrefix(filePath, "config") { + return nil, errors.New("resource access is not allowed") + } + resource := filepath.ToSlash(path.Join(s.a.VirtualBaseDir(), ctx.route.Dir, filePath)) ctx.Log().Tracef("Static resource: %s", resource) diff --git a/version.go b/version.go index d2f359e4..61115f79 100644 --- a/version.go +++ b/version.go @@ -5,4 +5,4 @@ package aah // Version no. of aah framework -const Version = "0.12.3" +const Version = "0.12.4"