Skip to content

Commit

Permalink
pkg/tool: improve SanitizePath (gogs#5558)
Browse files Browse the repository at this point in the history
  • Loading branch information
@unknwon @crohr
unknwon authored and crohr committed Jan 31, 2019
1 parent fd71255 commit f957ec7
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 3 deletions.
2 changes: 1 addition & 1 deletion gogs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ import (
"github.com/gogs/gogs/pkg/setting"
)

const APP_VER = "0.11.81.1217"
const APP_VER = "0.11.82.1218"

func init() {
setting.AppVer = APP_VER
Expand Down
4 changes: 3 additions & 1 deletion pkg/tool/path.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,7 @@ func IsSameSiteURLPath(url string) bool {

// SanitizePath sanitizes user-defined file paths to prevent remote code execution.
func SanitizePath(path string) string {
return strings.TrimLeft(path, "./")
path = strings.TrimLeft(path, "/")
path = strings.Replace(path, "../", "", -1)
return path
}
1 change: 1 addition & 0 deletions pkg/tool/path_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ func Test_SanitizePath(t *testing.T) {
expect string
}{
{"../../../../../../../../../data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"},
{"data/gogs/../../../../../../../../../data/sessions/a/9/a9f0ab6c3ef63dd8", "data/gogs/data/sessions/a/9/a9f0ab6c3ef63dd8"},

{"data/sessions/a/9/a9f0ab6c3ef63dd8", "data/sessions/a/9/a9f0ab6c3ef63dd8"},
}
Expand Down
2 changes: 1 addition & 1 deletion templates/.VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.11.81.1217
0.11.82.1218

0 comments on commit f957ec7

Please sign in to comment.