lbsadmin/Beego
1
0
Fork 0
mirror of https://github.com/astaxie/beego.git synced 2024-11-22 13:40:55 +00:00
Code Issues Releases Activity

security question, fix arbitrary file read

Browse Source
This commit is contained in:
lock 2018-11-07 11:31:27 +08:00
parent f64e6b72e9
commit 9865779f14
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
session/sess_file.go
View File

@ -21,6 +21,7 @@ import (
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
"strings"
"sync" "sync"
"time" "time"
) )
@ -127,6 +128,9 @@ func (fp *FileProvider) SessionInit(maxlifetime int64, savePath string) error {
// if file is not exist, create it. // if file is not exist, create it.
// the file path is generated from sid string. // the file path is generated from sid string.
func (fp *FileProvider) SessionRead(sid string) (Store, error) { func (fp *FileProvider) SessionRead(sid string) (Store, error) {
if strings.ContainsAny(sid, "./") {
return nil, nil
}
filepder.lock.Lock() filepder.lock.Lock()
defer filepder.lock.Unlock() defer filepder.lock.Unlock()