Stowage/rest-server
2
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-10-19 07:33:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

Cleanup path before auth check

Browse source
This commit is contained in:
Alexander Neumann 2020-05-02 11:40:55 +02:00
parent f8e774393c
commit 723f29e594
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
handlers.go
View file

@ -167,7 +167,10 @@ func (s *Server) AuthHandler(f *HtpasswdFile, h http.Handler) http.HandlerFunc {
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
return
}
if s.PrivateRepos && !isUserPath(username, r.URL.Path) && r.URL.Path != "/metrics" {
// resolve all relative elements in the path
urlPath := path.Clean(r.URL.Path)
if s.PrivateRepos && !isUserPath(username, urlPath) && urlPath != "/metrics" {
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
return
}