Upstream/waveterm
1
0
Fork 0
mirror of https://github.com/wavetermdev/waveterm.git synced 2025-01-02 18:39:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix uncontrolled path expression in ExpandHomeDir (#816)

Browse Source
This commit is contained in:
Evan Simkowitz 2024-09-24 16:19:59 -07:00 committed by GitHub
parent acdc58877f
commit a369381c4e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/wavebase/wavebase.go
View File

@ -59,7 +59,7 @@ func ExpandHomeDir(pathStr string) string {
if pathStr == "~" { if pathStr == "~" {
return homeDir return homeDir
} }
return filepath.Join(homeDir, pathStr[2:]) return filepath.Clean(filepath.Join(homeDir, pathStr[2:]))
} }
func ReplaceHomeDir(pathStr string) string { func ReplaceHomeDir(pathStr string) string {

3
pkg/web/web.go
View File

@ -14,6 +14,7 @@ import (
"net" "net"
"net/http" "net/http"
"os" "os"
"path/filepath"
"runtime/debug" "runtime/debug"
"strconv" "strconv"
"time" "time"
@ -223,7 +224,7 @@ func handleLocalStreamFile(w http.ResponseWriter, r *http.Request, fileName stri
// use the custom response writer // use the custom response writer
rw := &notFoundBlockingResponseWriter{w: w, headers: http.Header{}} rw := &notFoundBlockingResponseWriter{w: w, headers: http.Header{}}
// Serve the file using http.ServeFile // Serve the file using http.ServeFile
http.ServeFile(rw, r, fileName) http.ServeFile(rw, r, filepath.Clean(fileName))
// if the file was not found, serve the transparent GIF // if the file was not found, serve the transparent GIF
log.Printf("got streamfile status: %d\n", rw.status) log.Printf("got streamfile status: %d\n", rw.status)
if rw.status == http.StatusNotFound { if rw.status == http.StatusNotFound {