1
0
mirror of https://github.com/labstack/echo.git synced 2024-12-24 20:14:31 +02:00

Fixed #947, closes #948

Signed-off-by: Vishal Rana <vr@labstack.com>
This commit is contained in:
Vishal Rana 2017-06-07 08:23:43 -07:00
parent 3673d7fb44
commit c05db06020
3 changed files with 27 additions and 3 deletions

12
echo.go
View File

@ -45,6 +45,7 @@ import (
stdLog "log"
"net"
"net/http"
"net/url"
"path"
"path/filepath"
"reflect"
@ -434,7 +435,11 @@ func (e *Echo) Static(prefix, root string) {
func static(i i, prefix, root string) {
h := func(c Context) error {
name := filepath.Join(root, path.Clean("/"+c.Param("*"))) // "/"+ for security
p, err := url.PathUnescape(c.Param("*"))
if err != nil {
return err
}
name := filepath.Join(root, path.Clean("/"+p)) // "/"+ for security
return c.File(name)
}
i.GET(prefix, h)
@ -542,7 +547,10 @@ func (e *Echo) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Middleware
h := func(c Context) error {
method := r.Method
path := r.URL.Path
path := r.URL.RawPath
if path == "" {
path = r.URL.Path
}
e.router.Find(method, path, c)
h := c.Handler()
for i := len(e.middleware) - 1; i >= 0; i-- {

View File

@ -304,6 +304,17 @@ func TestEchoRoutes(t *testing.T) {
}
}
func TestEchoEncodedPath(t *testing.T) {
e := New()
e.GET("/:id", func(c Context) error {
return c.NoContent(http.StatusOK)
})
req := httptest.NewRequest(GET, "/with%2Fslash", nil)
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
assert.Equal(t, http.StatusOK, rec.Code)
}
func TestEchoGroup(t *testing.T) {
e := New()
buf := new(bytes.Buffer)

View File

@ -2,6 +2,7 @@ package middleware
import (
"fmt"
"net/url"
"os"
"path"
"path/filepath"
@ -66,7 +67,7 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
}
return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
return func(c echo.Context) (err error) {
if config.Skipper(c) {
return next(c)
}
@ -75,6 +76,10 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {
if strings.HasSuffix(c.Path(), "*") { // When serving from a group, e.g. `/static*`.
p = c.Param("*")
}
p, err = url.PathUnescape(p)
if err != nil {
return err
}
name := filepath.Join(config.Root, path.Clean("/"+p)) // "/"+ for security
fi, err := os.Stat(name)