Merge pull request #3383 from LockGit/develop

security question, fix arbitrary file read

Merge pull request #3383 from LockGit/develop
security question, fix arbitrary file read
8391d262 · astaxie · GitHub · f64e6b72 · 9865779f · 8391d262
Unverified Commit 8391d262 authored Nov 08, 2018 by astaxie Committed by GitHub Nov 08, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

sess_file.go session/sess_file.go +4 -0

No files found.
--- a/session/sess_file.go
+++ b/session/sess_file.go
@@ -21,6 +21,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 )
@@ -127,6 +128,9 @@ func (fp *FileProvider) SessionInit(maxlifetime int64, savePath string) error {
 // if file is not exist, create it.
 // the file path is generated from sid string.
 func (fp *FileProvider) SessionRead(sid string) (Store, error) {
+	if strings.ContainsAny(sid, "./") {
+		return nil, nil
+	}
 	filepder.lock.Lock()
 	defer filepder.lock.Unlock()