From 59201ce9e806a559e9530660534892f6a8ddb2b6 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@helsinki.at>
Date: Thu, 7 Apr 2016 13:30:54 +0200
Subject: fix possible path transversal


diff --git a/src/rhimportd/uploadWeb.go b/src/rhimportd/uploadWeb.go
index ee86e0f..7f4a483 100644
--- a/src/rhimportd/uploadWeb.go
+++ b/src/rhimportd/uploadWeb.go
@@ -35,6 +35,8 @@ import (
 	"mime/multipart"
 	"net/http"
 	"os"
+	"path"
+	"path/filepath"
 	"strings"
 	"time"
 )
@@ -161,7 +163,7 @@ func webUploadHandler(conf *rhimport.Config, db *rddb.DBChan, sessions *rhimport
 		return
 	}
 
-	dstfile := dstpath + "/" + srcfile
+	dstfile := filepath.Join(dstpath, path.Clean("/"+srcfile))
 	dst, err := os.OpenFile(dstfile, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600)
 	if err != nil {
 		rhl.Printf("WebUploadHandler: Unable to create file '%s': %v", dstfile, err)
-- 
cgit v0.10.2