1
0
mirror of https://github.com/astaxie/beego.git synced 2024-12-23 02:10:50 +00:00

Merge pull request #3383 from LockGit/develop

security question, fix arbitrary file read
This commit is contained in:
astaxie 2018-11-08 23:21:18 +08:00 committed by GitHub
commit 8391d26220
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -21,6 +21,7 @@ import (
"os"
"path"
"path/filepath"
"strings"
"sync"
"time"
)
@ -127,6 +128,9 @@ func (fp *FileProvider) SessionInit(maxlifetime int64, savePath string) error {
// if file is not exist, create it.
// the file path is generated from sid string.
func (fp *FileProvider) SessionRead(sid string) (Store, error) {
if strings.ContainsAny(sid, "./") {
return nil, nil
}
filepder.lock.Lock()
defer filepder.lock.Unlock()