From dde276910e0c7b12f5e5e5797bc4e9dedac4e7d3 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@helsinki.at>
Date: Thu, 7 Apr 2016 13:30:36 +0200
Subject: fix possible path transversal


diff --git a/rhimport/fetcher.go b/rhimport/fetcher.go
index f53ed04..2ff5a9c 100644
--- a/rhimport/fetcher.go
+++ b/rhimport/fetcher.go
@@ -63,7 +63,7 @@ func curlHeaderCallback(ptr []byte, userdata interface{}) bool {
 	if strings.HasPrefix(hdr, "Content-Disposition:") {
 		if mediatype, params, err := mime.ParseMediaType(strings.TrimPrefix(hdr, "Content-Disposition:")); err == nil {
 			if mediatype == "attachment" {
-				data.filename = data.basepath + "/" + params["filename"]
+				data.filename = filepath.Join(data.basepath, path.Clean("/"+params["filename"]))
 			}
 		}
 	}
@@ -74,7 +74,7 @@ func curlWriteCallback(ptr []byte, userdata interface{}) bool {
 	data := userdata.(*FetcherCurlCBData)
 	if data.file == nil {
 		if data.filename == "" {
-			data.filename = data.basepath + "/" + data.remotename
+			data.filename = filepath.Join(data.basepath, path.Clean("/"+data.remotename))
 		}
 		fp, err := os.OpenFile(data.filename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600)
 		if err != nil {
-- 
cgit v0.10.2