Permalink
Browse files

Static module should only allow reading files within the base path

  • Loading branch information...
1 parent ba8840f commit 8bcdde96a1be8919e7695ca8d562bd4b9ea4ad51 @robfig committed Mar 10, 2013
Showing with 7 additions and 1 deletion.
  1. +7 −1 modules/static/app/controllers/static.go
@@ -4,6 +4,7 @@ import (
"github.com/robfig/revel"
"os"
fpath "path/filepath"
+ "strings"
)
type Static struct {
@@ -47,7 +48,12 @@ func (c Static) Serve(prefix, filepath string) revel.Result {
basePath = revel.BasePath
}
- fname := fpath.Join(basePath, fpath.FromSlash(prefix), fpath.FromSlash(filepath))
+ basePathPrefix := fpath.Join(basePath, fpath.FromSlash(prefix))
+ fname := fpath.Join(basePathPrefix, fpath.FromSlash(filepath))
+ if !strings.HasPrefix(fname, basePathPrefix) {
+ revel.WARN.Printf("Attempted to read file outside of base path: %s", fname)
+ return c.NotFound("")
+ }
finfo, err := os.Stat(fname)

0 comments on commit 8bcdde9

Please sign in to comment.