diff options
| author | Christian Pointner <equinox@helsinki.at> | 2016-04-07 11:30:54 (GMT) |
|---|---|---|
| committer | Christian Pointner <equinox@helsinki.at> | 2016-04-07 11:30:54 (GMT) |
| commit | 59201ce9e806a559e9530660534892f6a8ddb2b6 (patch) | |
| tree | 9898f8cf79eb26cd5e63706f21d18f2b0601a1a7 /src | |
| parent | 571371c22c343309ecfdad58b5bdf826c03a5b97 (diff) | |
fix possible path transversal
Diffstat (limited to 'src')
| -rw-r--r-- | src/rhimportd/uploadWeb.go | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/rhimportd/uploadWeb.go b/src/rhimportd/uploadWeb.go index ee86e0f..7f4a483 100644 --- a/src/rhimportd/uploadWeb.go +++ b/src/rhimportd/uploadWeb.go @@ -35,6 +35,8 @@ import ( "mime/multipart" "net/http" "os" + "path" + "path/filepath" "strings" "time" ) @@ -161,7 +163,7 @@ func webUploadHandler(conf *rhimport.Config, db *rddb.DBChan, sessions *rhimport return } - dstfile := dstpath + "/" + srcfile + dstfile := filepath.Join(dstpath, path.Clean("/"+srcfile)) dst, err := os.OpenFile(dstfile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600) if err != nil { rhl.Printf("WebUploadHandler: Unable to create file '%s': %v", dstfile, err) |