net/http: don't allow zero byte in FileServer paths

Should probably be fixed in the syscall package, either
additional or instead of this CL.

Fixes #3842

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6442061

diff --git a/src/pkg/net/http/fs.go b/src/pkg/net/http/fs.go
index 396bffe9c9e7eaa917f370c8f28e164c69a0935a..208d6cabb2cdcb11473deb89638d16c594bac64c 100644 (file)
--- a/src/pkg/net/http/fs.go
+++ b/src/pkg/net/http/fs.go
@@ -28,7 +28,8 @@ import (
 type Dir string
 
 func (d Dir) Open(name string) (File, error) {
-       if filepath.Separator != '/' && strings.IndexRune(name, filepath.Separator) >= 0 {
+       if filepath.Separator != '/' && strings.IndexRune(name, filepath.Separator) >= 0 ||
+               strings.Contains(name, "\x00") {
                return nil, errors.New("http: invalid character in file path")
        }
        dir := string(d)

diff --git a/src/pkg/net/http/fs_test.go b/src/pkg/net/http/fs_test.go
index 35c6ba617e24a932ff7837c8d521815c9c4cc082..0ebec8ce57758179e71bc002cb23a27ae91fecff 100644 (file)
--- a/src/pkg/net/http/fs_test.go
+++ b/src/pkg/net/http/fs_test.go
@@ -389,6 +389,23 @@ func TestServeIndexHtml(t *testing.T) {
        }
 }
 
+func TestFileServerZeroByte(t *testing.T) {
+       ts := httptest.NewServer(FileServer(Dir(".")))
+       defer ts.Close()
+
+       res, err := Get(ts.URL + "/..\x00")
+       if err != nil {
+               t.Fatal(err)
+       }
+       b, err := ioutil.ReadAll(res.Body)
+       if err != nil {
+               t.Fatal("reading Body:", err)
+       }
+       if res.StatusCode == 200 {
+               t.Errorf("got status 200; want an error. Body is:\n%s", string(b))
+       }
+}
+
 type fakeFileInfo struct {
        dir      bool
        basename string