kennygrant / sanitize

Package sanitize provides functions for sanitizing text in golang strings.
BSD 3-Clause "New" or "Revised" License
334 stars 72 forks source link

Path function #20

Closed zyayaa closed 7 years ago

zyayaa commented 7 years ago

Path function is dealing correctly with this vector "http://localhost:8080/?file=..\etc/passwd" but when you use "http://localhost:8080/?file=../etc/passwd" the result path will be "/etc/passwd"

kennygrant commented 7 years ago

Sorry for the late response, life got in the way. This function isn't intended to serve files, and cannot know which path the files might be at (if this path refers to a local file). I've improved the docs to make this clear.

If you're serving files you should always clean the path but also always root the path at a known root (say your public folder). On its own this function doesn't serve files and isn't intended to prefix them with a known safe path, it simply strips accents, .. and calls path.Clean on the path.

If you clean it with path.Clean or a function such as this, you then need to set the root (be that "." or "./public" or "./public/assets" before calling functions to stat the file or read it.

If you have an example of bad usage please do let me know though.