From 9865779f149669777ee33aae71cd29c8db8ffd66 Mon Sep 17 00:00:00 2001
From: lock <lockexit@qq.com>
Date: Wed, 7 Nov 2018 11:31:27 +0800
Subject: [PATCH] security question, fix arbitrary file read

---
 session/sess_file.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/session/sess_file.go b/session/sess_file.go
index 53e19811..c089dade 100644
--- a/session/sess_file.go
+++ b/session/sess_file.go
@@ -21,6 +21,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 )
@@ -127,6 +128,9 @@ func (fp *FileProvider) SessionInit(maxlifetime int64, savePath string) error {
 // if file is not exist, create it.
 // the file path is generated from sid string.
 func (fp *FileProvider) SessionRead(sid string) (Store, error) {
+	if strings.ContainsAny(sid, "./") {
+		return nil, nil
+	}
 	filepder.lock.Lock()
 	defer filepder.lock.Unlock()