mirror of
https://github.com/golang/go
synced 2024-11-13 19:40:22 -07:00
net/http: don't allow zero byte in FileServer paths
Should probably be fixed in the syscall package, either additional or instead of this CL. Fixes #3842 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/6442061
This commit is contained in:
parent
482ceeda6d
commit
538b2122f1
@ -28,7 +28,8 @@ import (
|
||||
type Dir string
|
||||
|
||||
func (d Dir) Open(name string) (File, error) {
|
||||
if filepath.Separator != '/' && strings.IndexRune(name, filepath.Separator) >= 0 {
|
||||
if filepath.Separator != '/' && strings.IndexRune(name, filepath.Separator) >= 0 ||
|
||||
strings.Contains(name, "\x00") {
|
||||
return nil, errors.New("http: invalid character in file path")
|
||||
}
|
||||
dir := string(d)
|
||||
|
@ -389,6 +389,23 @@ func TestServeIndexHtml(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestFileServerZeroByte(t *testing.T) {
|
||||
ts := httptest.NewServer(FileServer(Dir(".")))
|
||||
defer ts.Close()
|
||||
|
||||
res, err := Get(ts.URL + "/..\x00")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
b, err := ioutil.ReadAll(res.Body)
|
||||
if err != nil {
|
||||
t.Fatal("reading Body:", err)
|
||||
}
|
||||
if res.StatusCode == 200 {
|
||||
t.Errorf("got status 200; want an error. Body is:\n%s", string(b))
|
||||
}
|
||||
}
|
||||
|
||||
type fakeFileInfo struct {
|
||||
dir bool
|
||||
basename string
|
||||
|
Loading…
Reference in New Issue
Block a user