static: clean the path URL before redirecting (#199)

go-macaron · May 3, 2020 · addc746 · addc746
1 parent 002c0ce
commit addc746
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/static.go b/static.go
@@ -149,8 +149,9 @@ func staticHandler(ctx *Context, log *log.Logger, opt StaticOptions) bool {
 	// Try to serve index file
 	if fi.IsDir() {
 		// Redirect if missing trailing slash.
-		if !strings.HasSuffix(ctx.Req.URL.Path, "/") {
-			http.Redirect(ctx.Resp, ctx.Req.Request, ctx.Req.URL.Path+"/", http.StatusFound)
+		redirPath := path.Clean(ctx.Req.URL.Path)
+		if !strings.HasSuffix(redirPath, "/") {
+			http.Redirect(ctx.Resp, ctx.Req.Request, redirPath+"/", http.StatusFound)
 			return true
 		}
 

diff --git a/static_test.go b/static_test.go
@@ -218,6 +218,18 @@ func Test_Static_Redirect(t *testing.T) {
 		So(resp.Code, ShouldEqual, http.StatusFound)
 		So(resp.Header().Get("Location"), ShouldEqual, "/public/")
 	})
+
+	Convey("Serve static files with improper request", t, func() {
+		m := New()
+		m.Use(Static(currentRoot))
+
+		resp := httptest.NewRecorder()
+		req, err := http.NewRequest("GET", `http://localhost:4000//example.com%2f..`, nil)
+		So(err, ShouldBeNil)
+		m.ServeHTTP(resp, req)
+
+		So(resp.Code, ShouldEqual, http.StatusNotFound)
+	})
 }
 
 func Test_Statics(t *testing.T) {