From f31875dfdeb73db9dddf6a2a175a6b0b349d9b28 Mon Sep 17 00:00:00 2001 From: W-Mark Kubacki Date: Fri, 15 Apr 2016 20:38:58 +0200 Subject: [PATCH] Move sanitization of URL.Path to Server No need to have this in every plugin. And, even in flat filesystems filenames with dots and slashes are best avoided. --- server/server.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/server/server.go b/server/server.go index b9fa575a2..40689dfa4 100644 --- a/server/server.go +++ b/server/server.go @@ -14,6 +14,7 @@ import ( "net" "net/http" "os" + "path/filepath" "runtime" "strings" "sync" @@ -332,6 +333,16 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } + // Use URL.RawPath If you need the original, "raw" URL.Path in your middleware. + // Collapse any ./ ../ /// madness here instead of doing that in every plugin. + if r.URL.Path != "/" { + path := filepath.Clean(r.URL.Path) + if !strings.HasPrefix(path, "/") { + path = "/" + path + } + r.URL.Path = path + } + // Execute the optional request callback if it exists and it's not disabled if s.ReqCallback != nil && !s.vhosts[host].config.TLS.Manual && s.ReqCallback(w, r) { return