diff options
author | Christian Pointner <equinox@helsinki.at> | 2016-04-07 11:30:54 (GMT) |
---|---|---|
committer | Christian Pointner <equinox@helsinki.at> | 2016-04-07 11:30:54 (GMT) |
commit | 59201ce9e806a559e9530660534892f6a8ddb2b6 (patch) | |
tree | 9898f8cf79eb26cd5e63706f21d18f2b0601a1a7 | |
parent | 571371c22c343309ecfdad58b5bdf826c03a5b97 (diff) |
fix possible path transversal
-rw-r--r-- | src/rhimportd/uploadWeb.go | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/rhimportd/uploadWeb.go b/src/rhimportd/uploadWeb.go index ee86e0f..7f4a483 100644 --- a/src/rhimportd/uploadWeb.go +++ b/src/rhimportd/uploadWeb.go @@ -35,6 +35,8 @@ import ( "mime/multipart" "net/http" "os" + "path" + "path/filepath" "strings" "time" ) @@ -161,7 +163,7 @@ func webUploadHandler(conf *rhimport.Config, db *rddb.DBChan, sessions *rhimport return } - dstfile := dstpath + "/" + srcfile + dstfile := filepath.Join(dstpath, path.Clean("/"+srcfile)) dst, err := os.OpenFile(dstfile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600) if err != nil { rhl.Printf("WebUploadHandler: Unable to create file '%s': %v", dstfile, err) |