lisone/ds2api
1
0
Fork 0
mirror of https://github.com/CJackHwang/ds2api.git synced 2026-05-19 15:37:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix webui static root path guard

Browse Source
This commit is contained in:
CJACK
2026-05-10 18:55:57 +08:00
parent 77a47ada4e
commit 3569ae136a
2 changed files with 34 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/webui/handler.go
View File

@@ -100,7 +100,7 @@ func (h *Handler) serveFromDisk(w http.ResponseWriter, r *http.Request, staticDi
path = strings.TrimPrefix(path, "/")
if path != "" && strings.Contains(path, ".") {
full := filepath.Join(root, filepath.Clean(path))
if full != root && !strings.HasPrefix(full, root+string(os.PathSeparator)) {
if !isPathInsideRoot(full, root) {
http.NotFound(w, r)
return
}
@@ -127,6 +127,20 @@ func (h *Handler) serveFromDisk(w http.ResponseWriter, r *http.Request, staticDi
http.ServeFile(w, r, index)
}
func isPathInsideRoot(path, root string) bool {
cleanPath := filepath.Clean(path)
cleanRoot := filepath.Clean(root)
if cleanPath == cleanRoot {
return true
}
volume := filepath.VolumeName(cleanRoot)
rootWithoutVolume := cleanRoot[len(volume):]
if rootWithoutVolume == string(os.PathSeparator) {
return strings.HasPrefix(cleanPath, cleanRoot)
}
return strings.HasPrefix(cleanPath, cleanRoot+string(os.PathSeparator))
}
func resolveStaticAdminDir(preferred string) string {
if strings.TrimSpace(os.Getenv("DS2API_STATIC_ADMIN_DIR")) != "" {
return filepath.Clean(preferred)