From addc7461c3a90a040e79aa75bfd245107a210245 Mon Sep 17 00:00:00 2001
From: Humaid AlQassimi <git@humaidq.ae>
Date: Sun, 3 May 2020 18:02:27 +0400
Subject: [PATCH] static: clean the path URL before redirecting (#199)

---
 static.go      |  5 +++--
 static_test.go | 12 ++++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/static.go b/static.go
index 9f9bca1..593e474 100644
--- a/static.go
+++ b/static.go
@@ -149,8 +149,9 @@ func staticHandler(ctx *Context, log *log.Logger, opt StaticOptions) bool {
 	// Try to serve index file
 	if fi.IsDir() {
 		// Redirect if missing trailing slash.
-		if !strings.HasSuffix(ctx.Req.URL.Path, "/") {
-			http.Redirect(ctx.Resp, ctx.Req.Request, ctx.Req.URL.Path+"/", http.StatusFound)
+		redirPath := path.Clean(ctx.Req.URL.Path)
+		if !strings.HasSuffix(redirPath, "/") {
+			http.Redirect(ctx.Resp, ctx.Req.Request, redirPath+"/", http.StatusFound)
 			return true
 		}
 
diff --git a/static_test.go b/static_test.go
index 5f283ad..27a7dd1 100644
--- a/static_test.go
+++ b/static_test.go
@@ -218,6 +218,18 @@ func Test_Static_Redirect(t *testing.T) {
 		So(resp.Code, ShouldEqual, http.StatusFound)
 		So(resp.Header().Get("Location"), ShouldEqual, "/public/")
 	})
+
+	Convey("Serve static files with improper request", t, func() {
+		m := New()
+		m.Use(Static(currentRoot))
+
+		resp := httptest.NewRecorder()
+		req, err := http.NewRequest("GET", `http://localhost:4000//example.com%2f..`, nil)
+		So(err, ShouldBeNil)
+		m.ServeHTTP(resp, req)
+
+		So(resp.Code, ShouldEqual, http.StatusNotFound)
+	})
 }
 
 func Test_Statics(t *testing.T) {