diff options
| author | Samuel Johnson <[email protected]> | 2025-11-25 21:26:29 -0500 |
|---|---|---|
| committer | Samuel Johnson <[email protected]> | 2025-11-25 21:26:29 -0500 |
| commit | 2c8a11be8f3305652f54ff6dd58ec51275658c54 (patch) | |
| tree | f6f9d0f61fa959ae20894e6af2ec2e4af8480155 | |
| parent | bccb4dc33349a7b30f6544774d22de8a18b72dcb (diff) | |
Prevent file loader from reading outside dir
| -rw-r--r-- | cmd/web/handlers/fs.go | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/cmd/web/handlers/fs.go b/cmd/web/handlers/fs.go index 1a68e35..8a10409 100644 --- a/cmd/web/handlers/fs.go +++ b/cmd/web/handlers/fs.go @@ -34,7 +34,14 @@ func (ctx *fsContext) readdir(w http.ResponseWriter, r *http.Request) { func (ctx *fsContext) get(w http.ResponseWriter, r *http.Request) { name := r.URL.Query().Get("file") - file, err := os.ReadFile(ctx.path + "/" + name) + root, err := os.OpenRoot(ctx.path) + if err != nil { + ctx.err.Printf("Could not create root: %v\n", err) + http.Error(w, "Internal Server Error", 500) + return + } + + file, err := root.ReadFile(name) if err != nil { ctx.err.Print(err.Error()) http.Error(w, "Internal Server Error", 500) |