lbsadmin
/
Beego
mirror of https://github.com/astaxie/beego.git
1
0
Fork 0
Code Issues Releases Activity

Merge pull request #3383 from LockGit/develop 

security question, fix arbitrary file read
This commit is contained in:
astaxie 2018-11-08 23:21:18 +08:00 committed by GitHub
parent f64e6b72e9 9865779f14
commit 8391d26220
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
session/sess_file.go
View File

@ -21,6 +21,7 @@ import (
"os"
"path"
"path/filepath"
"strings"
"sync"
"time"
)
@ -127,6 +128,9 @@ func (fp *FileProvider) SessionInit(maxlifetime int64, savePath string) error {
// if file is not exist, create it.
// the file path is generated from sid string.
func (fp *FileProvider) SessionRead(sid string) (Store, error) {
if strings.ContainsAny(sid, "./") {
return nil, nil
}
filepder.lock.Lock()
defer filepder.lock.Unlock()