1
0
mirror of https://github.com/golang/go synced 2024-11-13 19:40:22 -07:00

net/http: don't allow zero byte in FileServer paths

Should probably be fixed in the syscall package, either
additional or instead of this CL.

Fixes #3842

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6442061
This commit is contained in:
Brad Fitzpatrick 2012-07-30 13:57:30 +10:00
parent 482ceeda6d
commit 538b2122f1
2 changed files with 19 additions and 1 deletions

View File

@ -28,7 +28,8 @@ import (
type Dir string
func (d Dir) Open(name string) (File, error) {
if filepath.Separator != '/' && strings.IndexRune(name, filepath.Separator) >= 0 {
if filepath.Separator != '/' && strings.IndexRune(name, filepath.Separator) >= 0 ||
strings.Contains(name, "\x00") {
return nil, errors.New("http: invalid character in file path")
}
dir := string(d)

View File

@ -389,6 +389,23 @@ func TestServeIndexHtml(t *testing.T) {
}
}
func TestFileServerZeroByte(t *testing.T) {
ts := httptest.NewServer(FileServer(Dir(".")))
defer ts.Close()
res, err := Get(ts.URL + "/..\x00")
if err != nil {
t.Fatal(err)
}
b, err := ioutil.ReadAll(res.Body)
if err != nil {
t.Fatal("reading Body:", err)
}
if res.StatusCode == 200 {
t.Errorf("got status 200; want an error. Body is:\n%s", string(b))
}
}
type fakeFileInfo struct {
dir bool
basename string