From 723f29e5947bca155eb264cadfcba2b5c671bffe Mon Sep 17 00:00:00 2001
From: Alexander Neumann <alexander@bumpern.de>
Date: Sat, 2 May 2020 11:40:55 +0200
Subject: [PATCH] Cleanup path before auth check

---
 handlers.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/handlers.go b/handlers.go
index 7809e92..315fa4f 100644
--- a/handlers.go
+++ b/handlers.go
@@ -167,7 +167,10 @@ func (s *Server) AuthHandler(f *HtpasswdFile, h http.Handler) http.HandlerFunc {
 			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 			return
 		}
-		if s.PrivateRepos && !isUserPath(username, r.URL.Path) && r.URL.Path != "/metrics" {
+
+		// resolve all relative elements in the path
+		urlPath := path.Clean(r.URL.Path)
+		if s.PrivateRepos && !isUserPath(username, urlPath) && urlPath != "/metrics" {
 			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 			return
 		}