chiu
/
filebrowser
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

fix: prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name` cause panic (#791)

This commit is contained in:
ttys3 2019-07-05 19:15:57 +08:00 committed by Henrique Dias
parent 888e08792e
commit be902be453
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
http/public.go
View File

@ -40,8 +40,15 @@ var withHashFile = func(fn handleFunc) handleFunc {
} }
} }
// ref to https://github.com/filebrowser/filebrowser/pull/727
// `/api/public/dl/MEEuZK-v/file-name.txt` for old browsers to save file with correct name
func ifPathWithName(r *http.Request) string { func ifPathWithName(r *http.Request) string {
pathElements := strings.Split(r.URL.Path, "/") pathElements := strings.Split(r.URL.Path, "/")
// prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name`
// len(pathElements) will be 1, and golang will panic `runtime error: index out of range`
if len(pathElements) < 2 {
return r.URL.Path
}
id := pathElements[len(pathElements)-2] id := pathElements[len(pathElements)-2]
return id return id
} }