lisone/ds2api
1
0
Fork 0
mirror of https://github.com/CJackHwang/ds2api.git synced 2026-05-16 14:15:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix security advisory issues

Browse Source
This commit is contained in:
CJACK
2026-05-10 17:01:22 +08:00
parent 22a00dc667
commit 03ea3728e7
4 changed files with 118 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/webui/handler.go
View File

@@ -95,11 +95,12 @@ func setStaticContentType(w http.ResponseWriter, fullPath string) {
}
func (h *Handler) serveFromDisk(w http.ResponseWriter, r *http.Request, staticDir string) {
root := filepath.Clean(staticDir)
path := strings.TrimPrefix(r.URL.Path, "/admin")
path = strings.TrimPrefix(path, "/")
if path != "" && strings.Contains(path, ".") {
full := filepath.Join(staticDir, filepath.Clean(path))
if !strings.HasPrefix(full, staticDir) {
full := filepath.Join(root, filepath.Clean(path))
if full != root && !strings.HasPrefix(full, root+string(os.PathSeparator)) {
http.NotFound(w, r)
return
}
@@ -116,7 +117,7 @@ func (h *Handler) serveFromDisk(w http.ResponseWriter, r *http.Request, staticDi
http.NotFound(w, r)
return
}
index := filepath.Join(staticDir, "index.html")
index := filepath.Join(root, "index.html")
if _, err := os.Stat(index); err != nil {
http.Error(w, "index.html not found", http.StatusNotFound)
return