mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-13 22:51:08 -05:00
Move sanitization of URL.Path to Server
No need to have this in every plugin. And, even in flat filesystems filenames with dots and slashes are best avoided.
This commit is contained in:
parent
4e98cc3005
commit
f31875dfde
1 changed files with 11 additions and 0 deletions
|
@ -14,6 +14,7 @@ import (
|
|||
"net"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strings"
|
||||
"sync"
|
||||
|
@ -332,6 +333,16 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
}
|
||||
|
||||
// Use URL.RawPath If you need the original, "raw" URL.Path in your middleware.
|
||||
// Collapse any ./ ../ /// madness here instead of doing that in every plugin.
|
||||
if r.URL.Path != "/" {
|
||||
path := filepath.Clean(r.URL.Path)
|
||||
if !strings.HasPrefix(path, "/") {
|
||||
path = "/" + path
|
||||
}
|
||||
r.URL.Path = path
|
||||
}
|
||||
|
||||
// Execute the optional request callback if it exists and it's not disabled
|
||||
if s.ReqCallback != nil && !s.vhosts[host].config.TLS.Manual && s.ReqCallback(w, r) {
|
||||
return
|
||||
|
|
Loading…
Reference in a new issue