Enabled security while serving static files

Signed-off-by: Vishal Rana <vr@labstack.com>
labstack · Feb 22, 2017 · d259f88 · d259f88
1 parent 91d2727
commit d259f88
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/echo.go b/echo.go
@@ -46,6 +46,7 @@ import (
 	"net"
 	"net/http"
 	"path"
+	"path/filepath"
 	"reflect"
 	"runtime"
 	"sync"
@@ -403,7 +404,8 @@ func (e *Echo) Static(prefix, root string) {
 
 func static(i i, prefix, root string) {
 	h := func(c Context) error {
-		return c.File(path.Join(root, c.Param("*")))
+		name := filepath.Join(root, path.Clean("/"+c.Param("*"))) // `/` for security
+		return c.File(name)
 	}
 	i.GET(prefix, h)
 	if prefix == "/" {

diff --git a/middleware/static.go b/middleware/static.go
@@ -3,6 +3,7 @@ package middleware
 import (
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 
@@ -66,11 +67,11 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
 
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			path := c.Request().URL.Path
+			p := c.Request().URL.Path
 			if strings.HasSuffix(c.Path(), "*") { // When serving from a group, e.g. `/static*`.
-				path = c.Param("*")
+				p = c.Param("*")
 			}
-			name := filepath.Join(config.Root, path)
+			name := filepath.Join(config.Root, path.Clean("/"+p)) // "/"+ for security
 
 			fi, err := os.Stat(name)
 			if err != nil {