Fix path traversal

gorilla · Apr 16, 2024 · 7c3f387 · 7c3f387
1 parent 3eed1c4
commit 7c3f387
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/store.go b/store.go
@@ -257,15 +257,15 @@ func (s *FilesystemStore) save(session *Session) error {
 	if err != nil {
 		return err
 	}
-	filename := filepath.Join(s.path, "session_"+session.ID)
+	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
 	fileMutex.Lock()
 	defer fileMutex.Unlock()
 	return os.WriteFile(filename, []byte(encoded), 0600)
 }
 
 // load reads a file and decodes its content into session.Values.
 func (s *FilesystemStore) load(session *Session) error {
-	filename := filepath.Join(s.path, "session_"+session.ID)
+	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
 	fileMutex.RLock()
 	defer fileMutex.RUnlock()
 	fdata, err := os.ReadFile(filepath.Clean(filename))
@@ -281,7 +281,7 @@ func (s *FilesystemStore) load(session *Session) error {
 
 // delete session file
 func (s *FilesystemStore) erase(session *Session) error {
-	filename := filepath.Join(s.path, "session_"+session.ID)
+	filename := filepath.Join(s.path, filepath.Base("session_"+session.ID))
 
 	fileMutex.RLock()
 	defer fileMutex.RUnlock()