fix possible path transversal

author: Christian Pointner <equinox@helsinki.at> 2016-04-07 11:30:36 (GMT)
committer: Christian Pointner <equinox@helsinki.at> 2016-04-07 11:30:36 (GMT)
commit: dde276910e0c7b12f5e5e5797bc4e9dedac4e7d3 (patch)
tree: d9ca6452ad9ca63b04897da83511f5f6d74e92bd /rhimport/fetcher.go
parent: 46dd82ebbdac86701aedccc7712ef396da459507 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/rhimport/fetcher.go b/rhimport/fetcher.go
index f53ed04..2ff5a9c 100644
--- a/rhimport/fetcher.go
+++ b/rhimport/fetcher.go
@@ -63,7 +63,7 @@ func curlHeaderCallback(ptr []byte, userdata interface{}) bool {
 	if strings.HasPrefix(hdr, "Content-Disposition:") {
 		if mediatype, params, err := mime.ParseMediaType(strings.TrimPrefix(hdr, "Content-Disposition:")); err == nil {
 			if mediatype == "attachment" {
-				data.filename = data.basepath + "/" + params["filename"]
+				data.filename = filepath.Join(data.basepath, path.Clean("/"+params["filename"]))
 			}
 		}
 	}
@@ -74,7 +74,7 @@ func curlWriteCallback(ptr []byte, userdata interface{}) bool {
 	data := userdata.(*FetcherCurlCBData)
 	if data.file == nil {
 		if data.filename == "" {
-			data.filename = data.basepath + "/" + data.remotename
+			data.filename = filepath.Join(data.basepath, path.Clean("/"+data.remotename))
 		}
 		fp, err := os.OpenFile(data.filename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600)
 		if err != nil {
author	Christian Pointner <equinox@helsinki.at>	2016-04-07 11:30:36 (GMT)
committer	Christian Pointner <equinox@helsinki.at>	2016-04-07 11:30:36 (GMT)
commit	dde276910e0c7b12f5e5e5797bc4e9dedac4e7d3 (patch)
tree	d9ca6452ad9ca63b04897da83511f5f6d74e92bd /rhimport/fetcher.go
parent	46dd82ebbdac86701aedccc7712ef396da459507 (diff)