| 12345678910111213141516171819202122232425262728293031323334353637383940414243 |
- Subject: Adding filepath.Clean to address directory traversal #2
- Origin: upstream, https://github.com/openfibernet/tftp-proxy/pull/3
- Upstream-Author: Arnoud Vermeer <avermeer@tucows.com>
- Date: Wed Feb 7 09:19:09 2024 +0100
- --- a/main.go
- +++ b/main.go
- @@ -4,10 +4,10 @@
- "flag"
- "fmt"
- "io"
- - "io/ioutil"
- "net/http"
- "os"
- "path"
- + "path/filepath"
- "time"
-
- "github.com/pin/tftp"
- @@ -18,9 +18,10 @@
-
- // readHandler is called when client starts file download from server
- func readHandler(filename string, rf io.ReaderFrom) error {
- + file_path := filepath.Clean(path.Join(dir, filename))
-
- - if _, err := os.Stat(path.Join(dir, filename)); err == nil {
- - file, err := os.Open(path.Join(dir, filename))
- + if _, err := os.Stat(file_path); err == nil {
- + file, err := os.Open(file_path)
- if err != nil {
- fmt.Fprintf(os.Stderr, "%v\n", err)
- return err
- @@ -50,8 +51,8 @@
- defer resp.Body.Close()
-
- if resp.StatusCode != 200 {
- - io.Copy(ioutil.Discard, resp.Body)
- - return fmt.Errorf("Received status code: %d", resp.StatusCode)
- + io.Copy(io.Discard, resp.Body)
- + return fmt.Errorf("received status code: %d", resp.StatusCode)
- }
-
- rf.(tftp.OutgoingTransfer).SetSize(resp.ContentLength)
|
