New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: parent directory listing vulnerability #3842
Labels
Milestone
Comments
Correction: by any directory I meant any subdirectory in http.FileHandler. Until this is fixed (the best place is in path.Clean probably?) a possible workaround for those who need it might be something like this: func hardened(handler http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { index := strings.Index(r.URL.Path, "\x00") if index >= 0 { http.Error(w, "403 Forbidden", 403) } else { handler.ServeHTTP(w, r) } }) } // ... http.ListenAndServe(":80", hardened(http.DefaultServeMux)) |
Labels changed: removed priority-triage. Owner changed to @bradfitz. Status changed to Accepted. |
This issue was closed by revision 538b212. Status changed to Fixed. |
bradfitz
added a commit
that referenced
this issue
May 11, 2015
««« backport 2307a931664e net/http: don't allow zero byte in FileServer paths Should probably be fixed in the syscall package, either additional or instead of this CL. Fixes #3842 R=golang-dev, rsc CC=golang-dev https://golang.org/cl/6442061 »»»
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The text was updated successfully, but these errors were encountered: