Skip to content

Commit b852908

Browse files
ybizeulybizeul
committed
protect against path traversal
1 parent 9e8d8a6 commit b852908

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

server/handlers/handlers.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ func HandleUpload(w http.ResponseWriter, r *http.Request) {
1717
shareId := r.URL.Query().Get("shareId")
1818

1919
// Check if share exists
20-
sharePath := path.Join("data", "share", shareId)
20+
sharePath := path.Join("data", "share", path.Join("/", shareId))
2121
if _, err := os.Stat(sharePath); os.IsNotExist(err) {
2222
fmt.Println(" The share does not exist, creation is done from Home page. Canceling upload")
2323
return
@@ -40,7 +40,7 @@ func HandleUpload(w http.ResponseWriter, r *http.Request) {
4040
}
4141
defer fileChunk.Close()
4242

43-
tempFilePath := path.Join(sharePath, fileName)
43+
tempFilePath := path.Join(sharePath, path.Join("/", fileName))
4444
tempFile, err := os.OpenFile(tempFilePath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
4545
if err != nil {
4646
fmt.Println(" Error opening or creating temp file :")
@@ -73,7 +73,7 @@ func HandleSearch(w http.ResponseWriter, r *http.Request) {
7373

7474
// Obtain shareId and Path from URL
7575
shareId := r.URL.Query().Get("shareId")
76-
sharePath := path.Join("data", "share", shareId)
76+
sharePath := path.Join("data", "share", path.Join("/", shareId))
7777

7878
fmt.Println(" Searching for share", shareId)
7979

@@ -143,11 +143,11 @@ func HandleDelete(w http.ResponseWriter, r *http.Request) {
143143

144144
// Obtain shareId and Path from URL
145145
shareId := r.URL.Query().Get("shareId")
146-
sharePath := path.Join("data", "share", shareId)
146+
sharePath := path.Join("data", "share", path.Join("/", shareId))
147147

148148
// Obtain fileName and filePath from URL
149149
fileName := r.URL.Query().Get("fileName")
150-
filePath := path.Join(sharePath, fileName)
150+
filePath := path.Join(sharePath, path.Join("/", fileName))
151151

152152
fmt.Println(" Deleting file", fileName, "from share", shareId, "...")
153153

@@ -170,11 +170,11 @@ func HandleDownload(w http.ResponseWriter, r *http.Request) {
170170

171171
// Obtain shareId and Path from URL
172172
shareId := r.URL.Query().Get("shareId")
173-
sharePath := path.Join("data", "share", shareId)
173+
sharePath := path.Join("data", "share", path.Join("/", shareId))
174174

175175
// Obtain fileName and filePath from URL
176176
fileName := r.URL.Query().Get("fileName")
177-
filePath := path.Join(sharePath, fileName)
177+
filePath := path.Join(sharePath, path.Join("/", fileName))
178178

179179
fmt.Println(" Downloading file", fileName, "from share", shareId, "...")
180180

@@ -264,7 +264,7 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) {
264264

265265
// ...and send it
266266
w.Header().Set("Content-Type", "application/json")
267-
w.Write(responseJSON)
267+
_, _ = w.Write(responseJSON)
268268

269269
fmt.Println("Share created!")
270270
}

0 commit comments

Comments
 (0)