From ca5515387a977cc5329eb0edf3aed82aad80d17e Mon Sep 17 00:00:00 2001 From: kingecg Date: Sat, 11 Jul 2026 18:31:11 +0800 Subject: [PATCH] ``` fix(file): add path cleaning to prevent directory traversal Clean the path to resolve any ".." components before checking to enhance security and prevent path traversal vulnerabilities. ``` --- handler/file.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/handler/file.go b/handler/file.go index 5893212..448f96c 100644 --- a/handler/file.go +++ b/handler/file.go @@ -46,6 +46,9 @@ func (f FileHandler) Open(name string) (http.File, error) { rPath = filepath.Join(f.Root, strings.TrimPrefix(relatedPath, "/")) } + // Clean the path to resolve any ".." components before checking + rPath = filepath.Clean(rPath) + // Resolve symlinks and clean path to prevent path traversal realRoot, err := filepath.EvalSymlinks(f.Root) if err != nil {