From 706832a0882c7300889238d5f4d476dc2ee83ad0 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Sat, 22 Sep 2012 05:54:20 +1000 Subject: [PATCH] [release-branch.go1] net/http: don't allow zero byte in FileServer paths MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit ««« backport 2307a931664e net/http: don't allow zero byte in FileServer paths Should probably be fixed in the syscall package, either additional or instead of this CL. Fixes #3842 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/6442061 »»» --- src/pkg/net/http/fs.go | 3 ++- src/pkg/net/http/fs_test.go | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/pkg/net/http/fs.go b/src/pkg/net/http/fs.go index 396bffe9c9..208d6cabb2 100644 --- a/src/pkg/net/http/fs.go +++ b/src/pkg/net/http/fs.go @@ -28,7 +28,8 @@ import ( type Dir string func (d Dir) Open(name string) (File, error) { - if filepath.Separator != '/' && strings.IndexRune(name, filepath.Separator) >= 0 { + if filepath.Separator != '/' && strings.IndexRune(name, filepath.Separator) >= 0 || + strings.Contains(name, "\x00") { return nil, errors.New("http: invalid character in file path") } dir := string(d) diff --git a/src/pkg/net/http/fs_test.go b/src/pkg/net/http/fs_test.go index 12b51aea72..572bef5045 100644 --- a/src/pkg/net/http/fs_test.go +++ b/src/pkg/net/http/fs_test.go @@ -384,6 +384,23 @@ func TestServeIndexHtml(t *testing.T) { } } +func TestFileServerZeroByte(t *testing.T) { + ts := httptest.NewServer(FileServer(Dir("."))) + defer ts.Close() + + res, err := Get(ts.URL + "/..\x00") + if err != nil { + t.Fatal(err) + } + b, err := ioutil.ReadAll(res.Body) + if err != nil { + t.Fatal("reading Body:", err) + } + if res.StatusCode == 200 { + t.Errorf("got status 200; want an error. Body is:\n%s", string(b)) + } +} + type fakeFileInfo struct { dir bool basename string -- 2.50.0