Closed freehaha closed 11 years ago
What a great find. Well spotted.
@tylerb and I will address this tomorrow, unless you can think of a fix and submit a pull request?
@freehaha what OS are you using?
@matryer I currently don't have a fix. i'll try to come up with one after reading the source. @tylerb I'm using Linux, Debian, x86_64, go1.1
@freehaha thanks for the info. The fix should be pretty simple, but I can't seem to duplicate the bug on my Mac.
I'll see if I can get access to a debian box and try to reproduce it there.
hi, I've attach the patch that fixes this problem. However, I'm not sure that it affects other parts of the package so please take a look before merging.
What if we just throw an error if the path contains some illegal things, like "../" etc?
Would that work?
On 5 Jun 2013, at 09:27, Tyler notifications@github.com wrote:
@freehaha thanks for the info. The fix should be pretty simple, but I can't seem to duplicate the bug on my Mac.
I'll see if I can get access to a debian box and try to reproduce it there.
— Reply to this email directly or view it on GitHub.
@freehaha - it's fully TDD, so if you do go test ./...
(or better still use https://github.com/stretchrcom/gort) and if all tests pass, then you're golden. Also, before writing any code, you should try and 'prove' the bug by seeing a test fail first. In that case, we know we will be protected from regression.
I have some tests added. Please verify them, thanks!
path.Clean
probably fits better here
Hi, when a server comes up with a static serving directory. from client side it is able to access arbitrary file using relative path.
for example: my server is serving
/static
for static files, i can get/etc/passwd
by requesting/static/../../../../../../etc/passwd