diff options
| author | Matt Holt <[email protected]> | 2023-05-15 10:48:05 -0600 |
|---|---|---|
| committer | GitHub <[email protected]> | 2023-05-15 10:48:05 -0600 |
| commit | 52d7335c2b1b8424e8971a9b03f51a5f36583535 (patch) | |
| tree | 23ea631b9bece465b9cfa35367099fe373b6afdd /modules/caddyhttp/fileserver/browse.go | |
| parent | 96919acc9d583ef11ea1f9c72a9991fb3f8aab9f (diff) | |
| download | caddy-52d7335c2b1b8424e8971a9b03f51a5f36583535.tar.gz caddy-52d7335c2b1b8424e8971a9b03f51a5f36583535.zip | |
fileserver: Use EscapedPath for browse (#5534)
* fileserver: Use EscapedPath for browse
Fix #5143
* Fixes if filter element is not present
* Remove extraneous line
Diffstat (limited to 'modules/caddyhttp/fileserver/browse.go')
| -rw-r--r-- | modules/caddyhttp/fileserver/browse.go | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/caddyhttp/fileserver/browse.go b/modules/caddyhttp/fileserver/browse.go index e1a089421..7cb6e4077 100644 --- a/modules/caddyhttp/fileserver/browse.go +++ b/modules/caddyhttp/fileserver/browse.go @@ -82,8 +82,8 @@ func (fsrv *FileServer) serveBrowse(root, dirPath string, w http.ResponseWriter, repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer) - // calling path.Clean here prevents weird breadcrumbs when URL paths are sketchy like /%2e%2e%2f - listing, err := fsrv.loadDirectoryContents(r.Context(), dir.(fs.ReadDirFile), root, path.Clean(r.URL.Path), repl) + // TODO: not entirely sure if path.Clean() is necessary here but seems like a safe plan (i.e. /%2e%2e%2f) - someone could verify this + listing, err := fsrv.loadDirectoryContents(r.Context(), dir.(fs.ReadDirFile), root, path.Clean(r.URL.EscapedPath()), repl) switch { case os.IsPermission(err): return caddyhttp.Error(http.StatusForbidden, err) |